diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-19 00:47:55 +0000 |
commit | 26a029d407be480d791972afb5975cf62c9360a6 (patch) | |
tree | f435a8308119effd964b339f76abb83a57c29483 /testing/web-platform/tests/fetch/corb/script-js-mislabeled-as-html-nosniff.sub.html | |
parent | Initial commit. (diff) | |
download | firefox-26a029d407be480d791972afb5975cf62c9360a6.tar.xz firefox-26a029d407be480d791972afb5975cf62c9360a6.zip |
Adding upstream version 124.0.1.upstream/124.0.1
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/fetch/corb/script-js-mislabeled-as-html-nosniff.sub.html')
-rw-r--r-- | testing/web-platform/tests/fetch/corb/script-js-mislabeled-as-html-nosniff.sub.html | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/testing/web-platform/tests/fetch/corb/script-js-mislabeled-as-html-nosniff.sub.html b/testing/web-platform/tests/fetch/corb/script-js-mislabeled-as-html-nosniff.sub.html new file mode 100644 index 0000000000..b6bc90964d --- /dev/null +++ b/testing/web-platform/tests/fetch/corb/script-js-mislabeled-as-html-nosniff.sub.html @@ -0,0 +1,33 @@ +<!DOCTYPE html> +<!-- Test verifies that script mislabeled as html won't execute with and without CORB + if the nosniff response header is present. + + The expected behavior is covered by the Fetch spec at + https://fetch.spec.whatwg.org/#should-response-to-request-be-blocked-due-to-nosniff? + + See also the following tests: + - fetch/nosniff/importscripts.html + - fetch/nosniff/script.html + - fetch/nosniff/worker.html +--> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<div id=log></div> + +<script> +setup({ single_test: true }); +window.has_executed_script = false; +</script> + +<!-- www1 is cross-origin, so the HTTP response is CORB-eligible --> +<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/js-mislabeled-as-html-nosniff.js"> +</script> + +<script> +// Verify what observable effects the <script> tag above had. +// Assertion should hold with and without CORB: +assert_false(window.has_executed_script, + 'The cross-origin script should not be executed'); +done(); +</script> |