LayoutTests/http/tests/security/contentSecurityPolicy/inline-event-handler-blocked-after-injecting-meta.html - WebKit - Git at Google

 <!DOCTYPE html>
 <head>
 <body>
   <script>
     if (window.testRunner)
       testRunner.dumpAsText();

     console.log("Clicking a link, pre-policy:");
     var clicked = 0;
     var a = document.createElement('a')
     a.setAttribute('onclick', 'console.log(clicked++ ? \'FAIL: Event handler triggered post-policy.\' : \'PASS: Event handler triggered pre-policy.\')');
     a.click();

     console.log("Injecting Content-Security-Policy.");
     var m = document.createElement('meta');
     m.setAttribute('content', 'default-src \'self\'');
     m.setAttribute('http-equiv', 'Content-Security-Policy');
     document.head.appendChild(m);
     console.log("Clicking a link, post-policy:");
     a.click();
   </script>
   <p>This test checks that CSP is evaluated on each call to an inline event handler, even if it's been executed pre-policy. It passes if one 'PASS' and no 'FAIL' messages appear.</p>
 </body>
 </html>
	<!DOCTYPE html>
	<head>
	<body>
	<script>
	if (window.testRunner)
	testRunner.dumpAsText();

	console.log("Clicking a link, pre-policy:");
	var clicked = 0;
	var a = document.createElement('a')
	a.setAttribute('onclick', 'console.log(clicked++ ? \'FAIL: Event handler triggered post-policy.\' : \'PASS: Event handler triggered pre-policy.\')');
	a.click();

	console.log("Injecting Content-Security-Policy.");
	var m = document.createElement('meta');
	m.setAttribute('content', 'default-src \'self\'');
	m.setAttribute('http-equiv', 'Content-Security-Policy');
	document.head.appendChild(m);
	console.log("Clicking a link, post-policy:");
	a.click();
	</script>
	<p>This test checks that CSP is evaluated on each call to an inline event handler, even if it's been executed pre-policy. It passes if one 'PASS' and no 'FAIL' messages appear.</p>
	</body>
	</html>