| <!DOCTYPE html> |
| <html> |
| <head> |
| <script src="resources/wait-until-done.js"></script> |
| <script src="resources/dump-as-text.js"></script> |
| <meta http-equiv="Content-Security-Policy" content="img-src http://127.0.0.1:8000/resources/redirect.py"> |
| </head> |
| <body> |
| <p>Tests that a cross-origin image loaded via a redirect is blocked by the Content Security Policy. This test PASSED if there is a console warning message.</p> |
| <script> |
| // Expect the blocked URI to be the requested origin, not the redirect target. |
| document.addEventListener('securitypolicyviolation', e => { |
| document.body.innerHTML = `blockedURI = <b>${e.blockedURI}</b><br/><br/>`; |
| window.testRunner.notifyDone(); |
| }); |
| </script> |
| <img src="http://127.0.0.1:8000/resources/redirect.py?code=307&url=http%3A//127.0.0.1%3A8000/resources/redirect.py%3Furl=http%3A//localhost%3A8000/resources/abe.png" width="128" height="128"> |
| </body> |
| </html> |