blob: 2de6a48eb219df9230e4ba5e6523bbd549d53676 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-hashes' 'nonce-abc' 'sha256-thisdoesnotmatch'; img-src *;">
<title>Event handlers should be not allowed if a matching hash is not present</title>
<script src='/resources/testharness.js' nonce='abc'></script>
<script src='/resources/testharnessreport.js' nonce='abc'></script>
</head>
<body>
<div id='log'></div>
<script nonce='abc'>
var t1 = async_test("Test that the inline event handler is not allowed to run");
window.addEventListener('securitypolicyviolation', t1.step_func_done(function(e) {
assert_equals(e.violatedDirective, 'script-src-attr');
assert_equals(e.blockedURI, 'inline');
}));
</script>
<img src='../support/pass.png'
onload='t1.unreached_func("Should not have executed handler");'>
</body>
</html>
|