<html> <head> <meta charset="utf-8"> </head> <body> <!-- this should be allowed (no CSP)--> <img src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=img_good&type=img/png"> </img> <script type="text/javascript"> var req = new XMLHttpRequest(); req.onload = function() { //this should be allowed (no CSP) try { var img = document.createElement("img"); img.src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=img2_good&type=img/png"; document.body.appendChild(img); } catch(e) { console.log("yo: "+e); } }; req.open("get", "file_bug941404_xhr.html", true); req.responseType = "document"; req.send(); </script> </body> </html>