| <!DOCTYPE html> |
| <html> |
| <head> |
| <title>'X-Content-Type-Options: nosniff;' blocks scripts!</title> |
| <body> |
| <script src="/js-test-resources/js-test-pre.js"></script> |
| <script> |
| description('Check that script sent with an \'X-Content-Type-Options: nosniff\' header is correctly blocked if the MIME type isn\'t scripty.'); |
| window.jsTestIsAsync = true; |
| |
| var unscriptyMimeTypes = [ |
| 'application/json', |
| 'image/png', |
| 'text/html', |
| 'text/vbs', |
| 'text/vbscript', |
| 'text/xx-javascript', |
| ]; |
| |
| window.scriptsSuccessfullyLoaded = 0; |
| |
| for (var i = 0; i < unscriptyMimeTypes.length; i++) { |
| document.write('<script src="./resources/script-with-header.pl?mime=' + unscriptyMimeTypes[i] + '"><' + '/script>'); |
| } |
| |
| window.onload = function () { |
| shouldBe('window.scriptsSuccessfullyLoaded', '0'); |
| finishJSTest(); |
| }; |
| </script> |
| <script src="/js-test-resources/js-test-post.js"></script> |
| </body> |
| </html> |