preload-csp.sub.html (1940B)
1 <!DOCTYPE html> 2 <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; font-src 'none'; style-src 'none'; img-src 'none'; media-src 'none';"> 3 <title>Makes sure that preload requests respect CSP</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="/common/utils.js"></script> 7 <script src="/preload/resources/preload_helper.js"></script> 8 <link rel=preload href="http://{{host}}:{{ports[http][1]}}/preload/resources/stash-put.py?key={{uuid()}}" as=style> 9 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=style> 10 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=json> 11 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=image> 12 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=font crossorigin> 13 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=video> 14 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=audio> 15 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=track> 16 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=foobarxmlthing> 17 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}"> 18 <body> 19 <script> 20 promise_test(async (t) => { 21 verifyPreloadAndRTSupport(); 22 const keys = []; 23 const links = document.querySelectorAll('link'); 24 for (const link of links) { 25 if (link.rel === 'preload') { 26 const r = /\?key=([a-zA-Z0-9\-]+)$/; 27 keys.push([link.href, link.as, link.href.match(r)[1]]); 28 } 29 } 30 await new Promise((resolve) => step_timeout(resolve, 3000)); 31 32 for (const [href, type, key] of keys) { 33 assert_false(await hasArrivedAtServer(key), `Preload with href ${href}, type ${type} and key ${key} should not have arrived at the server.`); 34 } 35 }, 'Preload requests are blocked by CSP.'); 36 </script>