| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline' 'unsafe-eval'"> |
| <script> |
| if (window.testRunner) |
| testRunner.waitUntilDone(); |
| </script> |
| </head> |
| <body> |
| <p>This tests that a blob-URL JavaScript script fails to load because it does not match Content Security Policy <code>script-src 'self'</code>.</p> |
| <pre id="console"></pre> |
| <script> |
| function log(message) |
| { |
| document.getElementById("console").appendChild(document.createTextNode(message + "\n")); |
| } |
| |
| function done() |
| { |
| if (window.testRunner) |
| testRunner.notifyDone(); |
| } |
| |
| var script = document.createElement("script"); |
| script.onload = function () { |
| log("FAIL should not have fired load event for blob-URL script."); |
| done(); |
| } |
| script.onerror = function () { |
| log("PASS fired error event for blob-URL script."); |
| done(); |
| } |
| script.src = window.URL.createObjectURL(new Blob(["log('FAIL should not have executed blob-URL script.');"])); |
| document.head.appendChild(script); |
| </script> |
| </body> |
| </html> |
