preload-default-csp.sub.html (1681B)
1 <!DOCTYPE html> 2 <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline'; default-src 'none'; connect-src 'self';"> 3 <title>Makes sure that preload requests respect CSP</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="/preload/resources/preload_helper.js"></script> 7 <link rel=preload href="http://{{host}}:{{ports[http][1]}}/preload/resources/stash-put.py?key={{uuid()}}" as=style> 8 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=style> 9 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=image> 10 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=font crossorigin> 11 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=video> 12 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=audio> 13 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=track> 14 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}" as=foobarxmlthing> 15 <link rel=preload href="/preload/resources/stash-put.py?key={{uuid()}}"> 16 <body> 17 <script> 18 promise_test(async (t) => { 19 verifyPreloadAndRTSupport(); 20 const keys = []; 21 const links = document.querySelectorAll('link'); 22 for (const link of links) { 23 if (link.rel === 'preload') { 24 const r = /\?key=([a-zA-Z0-9\-]+)$/; 25 keys.push(link.href.match(r)[1]); 26 } 27 } 28 await new Promise((resolve) => step_timeout(resolve, 3000)); 29 30 for (const key of keys) { 31 assert_false(await hasArrivedAtServer(key)); 32 } 33 }, 'Preload requests are blocked by CSP ("default-src \'none\').'); 34 </script>