testing/web-platform/tests/content-security-policy/prefetch-src/prefetch-blocked-by-default.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

<!DOCTYPE html>
<html>
<head>
  <!-- Block everything by default, but allow the page's scripts to execute. -->
  <meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'unsafe-inline' 'self'">

  <script src='/resources/testharness.js'></script>
  <script src='/resources/testharnessreport.js'></script>
  <script src='/content-security-policy/support/testharness-helper.js'></script>
  <script src='/content-security-policy/support/prefetch-helper.js'></script>
  <script>
    async_test(t => {
      let url = window.origin + '/content-security-policy/support/fail.png';

      let link = document.createElement('link');
      link.rel = 'prefetch';
      link.href = url;

      assert_link_does_not_prefetch(t, link);
    }, "`default-src`-blocked prefetch generates report.");
  </script>
</head>
<body>
</body>
</html>