<meta http-equiv="Content-Security-Policy" content="img-src 'none'"/> | |
<script> | |
const js_payload = ` | |
<div> | |
<img src="${window.origin}/content-security-policy/support/fail.png" | |
onload="opener.postMessage(\\\'img loaded\\\', \\\'*\\\');" | |
onerror="opener.postMessage(\\\'img blocked\\\', \\\'*\\\');" | |
> | |
</div> | |
`; | |
open(`javascript:'${js_payload}'`,"_self"); | |
</script> |