style-html-correctly-labeled.sub.html (1700B)
1 <!DOCTYPE html> 2 <!-- Test verifies that using a HTML document as a stylesheet has no observable 3 differences with and without CORB: 4 - The cross-origin stylesheet requires a correct text/css Content-Type 5 and therefore won't render even without CORB. This aspect of this test 6 is similar to the style-css-mislabeled-as-html.sub.html test. 7 - Even if the Content-Type requirements were relaxed for cross-origin stylesheets, 8 the HTML document is unlikely to parse as a stylesheet (unless a polyglot 9 HTML/CSS document is crafted as part of an attack) and therefore the 10 observable behavior should be indistinguishable from parsing the empty, 11 CORB-blocked response as a stylesheet. 12 --> 13 <meta charset="utf-8"> 14 <title>CSS is not applied (because of mismatched Content-Type header)</title> 15 <script src=/resources/testharness.js></script> 16 <script src=/resources/testharnessreport.js></script> 17 18 <!-- Default style that will be applied if the external stylesheet resource 19 below won't load for any reason. This stylesheet will set h1's 20 color to green (see |default_color| below). --> 21 <style> 22 h1 { color: green; } 23 </style> 24 25 <!-- This is not really a stylesheet... --> 26 <!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> 27 <link rel="stylesheet" type="text/css" 28 href="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/html-correctly-labeled.html"> 29 30 <body> 31 <h1 id="header">Header example</h1> 32 <p>Paragraph body</p> 33 </body> 34 35 <script> 36 test(() => { 37 var style = getComputedStyle(document.getElementById('header')); 38 const default_color = 'rgb(0, 128, 0)'; // green 39 assert_equals(style.getPropertyValue('color'), default_color); 40 }); 41 </script>