31 lines
1 KiB
JavaScript
31 lines
1 KiB
JavaScript
// META: title=FetchLater: blocked by CSP
|
|
// META: script=/common/utils.js
|
|
// META: script=/common/get-host-info.sub.js
|
|
// META: script=/fetch/fetch-later/resources/fetch-later-helper.js
|
|
'use strict';
|
|
|
|
const {
|
|
HTTPS_NOTSAMESITE_ORIGIN,
|
|
} = get_host_info();
|
|
|
|
// FetchLater requests blocked by Content Security Policy are rejected.
|
|
// https://w3c.github.io/webappsec-csp/#should-block-request
|
|
|
|
const meta = document.createElement('meta');
|
|
meta.setAttribute('http-equiv', 'Content-Security-Policy');
|
|
meta.setAttribute('content', 'connect-src \'self\'');
|
|
document.head.appendChild(meta);
|
|
|
|
promise_test(async t => {
|
|
const uuid = token();
|
|
const cspViolationUrl =
|
|
generateSetBeaconURL(uuid, {host: HTTPS_NOTSAMESITE_ORIGIN});
|
|
fetchLater(cspViolationUrl, {activateAfter: 0});
|
|
|
|
await new Promise(
|
|
resolve => window.addEventListener('securitypolicyviolation', e => {
|
|
assert_equals(e.violatedDirective, 'connect-src');
|
|
resolve();
|
|
}));
|
|
t.done();
|
|
}, 'FetchLater blocked by CSP should reject');
|