| <!DOCTYPE HTML> |
| <html> |
| <head> |
| <title>default-src should cascade to script-src directive</title> |
| <meta http-equiv="Content-Security-Policy" content="default-src 'self' 'unsafe-inline'; report-uri ../support/report.py?op=put&reportID={{$id}}"> |
| <script src='/resources/testharness.js'></script> |
| <script src='/resources/testharnessreport.js'></script> |
| <script src='../support/siblingPath.js'></script> |
| </head> |
| <body> |
| <h1>default-src should cascade to script-src directive</h1> |
| <div id='log'></div> |
| |
| <script> |
| var scriptsrc1 = async_test("Verify cascading of default-src to script-src policy: block"); |
| var scriptsrc2 = async_test("Verify cascading of default-src to script-src policy: allow"); |
| var allowedScriptRan = false; |
| var t_spv = async_test("Should fire violation events for every failed violation"); |
| |
| window.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) { |
| assert_equals(e.violatedDirective, "script-src-elem"); |
| })); |
| </script> |
| |
| <script src='pass-0_1.js'></script> |
| |
| <script> |
| var inlineScript = document.createElement('script'); |
| inlineScript.src = buildSiblingPath('www1', 'fail-0_1.js'); |
| document.getElementById('log').appendChild(inlineScript); |
| onload = function() { |
| scriptsrc1.done(); |
| scriptsrc2.step( function() { assert_true(allowedScriptRan, "allowed script didn't run") }); |
| scriptsrc2.done(); |
| } |
| </script> |
| </body> |
| </html> |
