blob: cdefcd2d2c9a5fa8cd4436591ac31f3ff26700fd (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
|
<!DOCTYPE html>
<!-- Test verifies that using a HTML document as a stylesheet has no observable
differences with and without CORB:
- The cross-origin stylesheet requires a correct text/css Content-Type
and therefore won't render even without CORB. This aspect of this test
is similar to the style-css-mislabeled-as-html.sub.html test.
- Even if the Content-Type requirements were relaxed for cross-origin stylesheets,
the HTML document is unlikely to parse as a stylesheet (unless a polyglot
HTML/CSS document is crafted as part of an attack) and therefore the
observable behavior should be indistinguishable from parsing the empty,
CORB-blocked response as a stylesheet.
-->
<meta charset="utf-8">
<title>CSS is not applied (because of mismatched Content-Type header)</title>
<script src=/resources/testharness.js></script>
<script src=/resources/testharnessreport.js></script>
<!-- Default style that will be applied if the external stylesheet resource
below won't load for any reason. This stylesheet will set h1's
color to green (see |default_color| below). -->
<style>
h1 { color: green; }
</style>
<!-- This is not really a stylesheet... -->
<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
<link rel="stylesheet" type="text/css"
href="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/html-correctly-labeled.html">
<body>
<h1 id="header">Header example</h1>
<p>Paragraph body</p>
</body>
<script>
test(() => {
var style = getComputedStyle(document.getElementById('header'));
const default_color = 'rgb(0, 128, 0)'; // green
assert_equals(style.getPropertyValue('color'), default_color);
});
</script>
|
