| <!DOCTYPE html> |
| <html> |
| <head> |
| <script> |
| if (window.testRunner) |
| testRunner.dumpAsText(); |
| </script> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'sha256-CYFBl0kdL4jzV5rJMIUoDtxfH9SQTP1JFh2GOcvAFGA=' 'sha256-F/ojdO7hFCTL+kP9GCfFTGQjf48FyI/WJIuqgntJh7Y='"> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'sha384-lGSUJY8XM9swnZ5dBAz++lf/CdJJiL5N12dIcSIwVFgJ0UWFEJKEAiqA9DE53c/r' 'sha256-F/ojdO7hFCTL+kP9GCfFTGQjf48FyI/WJIuqgntJh7Y='"> |
| </head> |
| <body> |
| <p>Tests that an inline script is allowed to execute only if its hash appears in all policies. This test PASSED if there are two console warnings and a JavaScript alert with message PASS. Otherwise, it FAILED.</p> |
| <script>alert("FAIL did execute first script")</script> <!-- 'sha256-CYFBl0kdL4jzV5rJMIUoDtxfH9SQTP1JFh2GOcvAFGA=' --> |
| <script>alert("FAIL did execute second script")</script> <!-- 'sha384-lGSUJY8XM9swnZ5dBAz++lf/CdJJiL5N12dIcSIwVFgJ0UWFEJKEAiqA9DE53c/r' --> |
| <script>alert("PASS")</script> <!-- 'sha256-F/ojdO7hFCTL+kP9GCfFTGQjf48FyI/WJIuqgntJh7Y=' --> |
| </body> |
| </html> |
