script-js-mislabeled-as-html-nosniff.sub.html (1095B)
1 <!DOCTYPE html> 2 <!-- Test verifies that script mislabeled as html won't execute with and without CORB 3 if the nosniff response header is present. 4 5 The expected behavior is covered by the Fetch spec at 6 https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff? 7 8 See also the following tests: 9 - fetch/nosniff/importscripts.html 10 - fetch/nosniff/script.html 11 - fetch/nosniff/worker.html 12 --> 13 <meta charset="utf-8"> 14 <script src="/resources/testharness.js"></script> 15 <script src="/resources/testharnessreport.js"></script> 16 <div id=log></div> 17 18 <script> 19 setup({ single_test: true }); 20 window.has_executed_script = false; 21 </script> 22 23 <!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> 24 <script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/js-mislabeled-as-html-nosniff.js"> 25 </script> 26 27 <script> 28 // Verify what observable effects the <script> tag above had. 29 // Assertion should hold with and without CORB: 30 assert_false(window.has_executed_script, 31 'The cross-origin script should not be executed'); 32 done(); 33 </script>