| <!DOCTYPE html> |
| <html> |
| <head> |
| <title>'X-Content-Type-Options: nosniff;' blocks scripts!</title> |
| <body> |
| <script src="/js-test-resources/js-test-pre.js"></script> |
| <script> |
| description('Check that script sent with an invalid \'X-Content-Type-Options: nosniff\' header is correctly allowed, even if the MIME type isn\'t scripty.'); |
| window.jsTestIsAsync = true; |
| |
| var unscriptyMimeTypes = [ |
| 'application/json', |
| 'text/html', |
| 'text/vbs', |
| 'text/vbscript', |
| 'text/x-javascript', |
| ]; |
| |
| window.scriptsSuccessfullyLoaded = 0; |
| |
| for (var i = 0; i < unscriptyMimeTypes.length; i++) { |
| document.write('<script src="./resources/script-with-header.pl?mime=' + unscriptyMimeTypes[i] + '&options=invalid"><' + '/script>'); |
| } |
| |
| window.onload = function () { |
| shouldBe('window.scriptsSuccessfullyLoaded', 'unscriptyMimeTypes.length'); |
| finishJSTest(); |
| }; |
| </script> |
| <script src="/js-test-resources/js-test-post.js"></script> |
| </body> |
| </html> |