<html>
<head> <meta charset="utf-8"> </head>
  <body>

    <!-- this should be allowed (no CSP)-->
    <img src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=img_good&type=img/png"> </img>


    <script type="text/javascript">
      var req = new XMLHttpRequest();
      req.onload = function() {
        //this should be allowed (no CSP)
        try {
        var img = document.createElement("img");
        img.src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=img2_good&type=img/png";
        document.body.appendChild(img);
        } catch(e) {
          console.log("yo: "+e);
        }
      };
      req.open("get", "file_bug941404_xhr.html", true);
      req.responseType = "document";
      req.send();
    </script>

  </body>
</html>