| <!DOCTYPE html> |
| <html> |
| <head> |
| <title>'X-Content-Type-Options: nosniff;' blocks scripts!</title> |
| <body> |
| <script src="/js-test-resources/js-test-pre.js"></script> |
| <script> |
| description('Check that script sent with an \'X-Content-Type-Options: nosniff\' header is correctly blocked if the MIME type isn\'t scripty.'); |
| window.jsTestIsAsync = true; |
| |
| window.scriptsSuccessfullyLoaded = 0; |
| |
| var s = document.createElement('script'); |
| s.src = './resources/script-with-header.pl?mime=application/json'; |
| document.querySelector('head').appendChild(s); |
| |
| window.onload = function () { |
| shouldBe('window.scriptsSuccessfullyLoaded', '0'); |
| finishJSTest(); |
| }; |
| </script> |
| <script src="/js-test-resources/js-test-post.js"></script> |
| </body> |
| </html> |