OLD | NEW |
1 <!DOCTYPE html> | 1 <!DOCTYPE html> |
2 <html> | 2 <html> |
3 <head> | 3 <head> |
4 <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-i
nline' 'self'"> | 4 <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-i
nline' 'self'"> |
| 5 <script src="/resources/testharness.js"></script> |
| 6 <script src="/resources/testharnessreport.js"></script> |
| 7 <script> |
| 8 var t = async_test("blob: does not match 'self' (see step 2 of http:
//www.w3.org/TR/CSP2/#match-source-expression)"); |
| 9 |
| 10 t.step(function () { |
| 11 var b = new Blob(['assert_unreached();'], { type: 'application/j
avascript' }); |
| 12 |
| 13 var script = document.createElement('script'); |
| 14 |
| 15 script.addEventListener('load', t.step_func(function () { |
| 16 assert_unreached(); |
| 17 })); |
| 18 |
| 19 script.addEventListener('error', t.step_func(function () { |
| 20 t.done(); |
| 21 })); |
| 22 |
| 23 script.src = URL.createObjectURL(b); |
| 24 document.head.appendChild(script); |
| 25 }); |
| 26 </script> |
5 </head> | 27 </head> |
6 <body> | 28 <body> |
7 <p> | |
8 blob: URLs are same-origin with the page in which they were created, | |
9 and should therefore match the 'self' source in CSP directives. | |
10 </p> | |
11 | |
12 <script> | |
13 if (window.testRunner) { | |
14 testRunner.dumpAsText(); | |
15 testRunner.waitUntilDone(); | |
16 } | |
17 function pass() { | |
18 alert("PASS (1/1)!"); | |
19 if (window.testRunner) | |
20 testRunner.notifyDone(); | |
21 } | |
22 | |
23 var b = new Blob(['pass();'], { type: 'application/javascript' }); | |
24 | |
25 var script = document.createElement('script'); | |
26 script.src = URL.createObjectURL(b); | |
27 document.body.appendChild(script); | |
28 </script> | |
29 </body> | 29 </body> |
30 </html> | 30 </html> |
OLD | NEW |