1 files changed, 37 insertions, 0 deletions

diff --git a/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked.html b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked.html
new file mode 100644
index 0000000000..a2abef3c17
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-header-blocked.html
@@ -0,0 +1,37 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <!-- Headers:
+    Content-Security-Policy: prefetch-src 'none'
+    Link: </content-security-policy/support/fail.png>;rel=prefetch
+  -->
+  <script src='/resources/testharness.js'></script>
+  <script src='/resources/testharnessreport.js'></script>
+  <script src='/content-security-policy/support/testharness-helper.js'></script>
+  <script src='/content-security-policy/support/prefetch-helper.js'></script>
+  <script>
+    async_test(t => {
+      let url = window.origin + '/content-security-policy/support/fail.png';
+      waitUntilCSPEventForURL(t, url)
+        .then(t.step_func_done(e => {
+          assert_equals(e.violatedDirective, 'prefetch-src');
+
+          // This assert verifies both that the resource wasn't downloaded
+          // when prefetched via `Link` on both this document itself, and
+          // on the stylesheet subresource below.
+          assert_resource_not_downloaded(t, url);
+        }));
+
+        // Load a stylesheet that tries to trigger a prefetch:
+        let link = document.createElement('link');
+        link.rel = 'stylesheet';
+        link.href = '/content-security-policy/support/prefetch-subresource.css';
+        document.head.appendChild(link);
+    }, 'Prefetch via `Link` header blocked when allowed by prefetch-src');
+  </script>
+</head>
+<body>
+</body>
+</html>
+
+