securitypolicyviolation-block-image-from-script.sub.html (2006B)
1 <!DOCTYPE html> 2 <script src="/resources/testharness.js"></script> 3 <script src="/resources/testharnessreport.js"></script> 4 <script src="/content-security-policy/support/testharness-helper.js"></script> 5 <meta http-equiv="Content-Security-Policy" content="img-src 'none'"> 6 <body> 7 <script> 8 async_test(t => { 9 waitUntilEvent(window, "securitypolicyviolation") 10 .then(t.step_func_done(e => { 11 assert_equals(e.documentURI, document.location.toString()); 12 assert_equals(e.referrer, document.referrer); 13 assert_equals(e.blockedURI, "http://{{domains[www]}}:{{ports[http][0]}}/content-security-policy/support/fail.png"); 14 assert_equals(e.violatedDirective, "img-src"); 15 assert_equals(e.effectiveDirective, "img-src"); 16 assert_equals(e.originalPolicy, "img-src \'none\'"); 17 assert_equals(e.disposition, "enforce"); 18 assert_equals(new URL(e.sourceFile).pathname, "/content-security-policy/support/inject-image.sub.js"); 19 // Per https://html.spec.whatwg.org/#relevant-mutations: 20 // The img or source HTML element insertion steps or HTML element removing steps count the mutation as a relevant mutation. 21 // So when the src load is async, line 3 (appendChild, and thus the insertion steps) is what triggers the relevant load, not the src setter. 22 // But there's some interesting discussions going on about what the right trigger is, see https://github.com/whatwg/html/issues/10531. 23 // So for now, we allow both. 24 assert_true( 25 (e.lineNumber == 3 && e.columnNumber == 15) || 26 (e.lineNumber == 2 && e.columnNumber == 1), 27 `Location should be reasonable, got [${e.lineNumber}, ${e.columnNumber}]` 28 ); 29 assert_equals(e.statusCode, 200); 30 })); 31 32 var s = document.createElement("script"); 33 s.src = "/content-security-policy/support/inject-image.sub.js"; 34 document.body.appendChild(s); 35 }, "Non-redirected cross-origin URLs are not stripped."); 36 </script>