| <?xml version="1.0" encoding="UTF-8"?> |
| <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" |
| "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd" |
| [ |
| <!ENTITY entA SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml"> |
| <!ENTITY entB SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xml"> |
| <!ENTITY entC SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity"> |
| <!ENTITY entD SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xml-external-parsed-entity"> |
| <!ENTITY entE SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/pdf"> |
| <!ENTITY entF SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html"> |
| <!ENTITY entG SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/javascript"> |
| <!ENTITY entNA SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?no-content-type-options=1&mime=application/xml"> |
| <!ENTITY entNB SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?no-content-type-options=1&mime=text/xml"> |
| <!ENTITY entNC SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?no-content-type-options=1&mime=application/xml-external-parsed-entity"> |
| <!ENTITY entND SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?no-content-type-options=1&mime=text/xml-external-parsed-entity"> |
| <!ENTITY entNE SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?no-content-type-options=1&mime=application/pdf"> |
| <!ENTITY entNF SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?no-content-type-options=1&mime=text/html"> |
| <!ENTITY entNG SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?no-content-type-options=1&mime=text/javascript"> |
| ]> |
| <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> |
| <head> |
| <title>'X-Content-Type-Options: nosniff' blocks xml external entity resources with improper MIME type</title> |
| <script src="/js-test-resources/js-test-pre.js"></script> |
| <script type="text/javascript"> |
| window.jsTestIsAsync = true; |
| window.scriptsSuccessfullyLoaded = 0; |
| |
| window.onload = function () { |
| shouldBe('window.scriptsSuccessfullyLoaded', '8'); |
| finishJSTest(); |
| }; |
| </script> |
| <script type="text/javascript">&entA;</script> |
| <script type="text/javascript">&entB;</script> |
| <script type="text/javascript">&entC;</script> |
| <script type="text/javascript">&entD;</script> |
| <script type="text/javascript">&entE;</script> |
| <script type="text/javascript">&entF;</script> |
| <script type="text/javascript">&entG;</script> |
| <script type="text/javascript">&entNA;</script> |
| <script type="text/javascript">&entNB;</script> |
| <script type="text/javascript">&entNC;</script> |
| <script type="text/javascript">&entND;</script> |
| <script type="text/javascript">&entNE;</script> |
| <script type="text/javascript">&entNF;</script> |
| <script type="text/javascript">&entNG;</script> |
| </head> |
| <body> |
| <script type="text/javascript"> |
| description('Check that xml external entity resources loaded are correctly accepted or blocked based on the MIME type.'); |
| </script> |
| <script src="/js-test-resources/js-test-post.js"></script> |
| </body> |
| </html> |