| <!DOCTYPE html> |
| <html> |
| <head> |
| <meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline' 'self'"> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script> |
| var t = async_test("blob: does not match 'self' (see step 2 of http://www.w3.org/TR/CSP2/#match-source-expression)"); |
| |
| t.step(function () { |
| var b = new Blob(['assert_unreached();'], { type: 'application/javascript' }); |
| |
| var script = document.createElement('script'); |
| |
| script.addEventListener('load', t.step_func(function () { |
| assert_unreached(); |
| })); |
| |
| script.addEventListener('error', t.step_func(function () { |
| t.done(); |
| })); |
| |
| script.src = URL.createObjectURL(b); |
| document.head.appendChild(script); |
| }); |
| </script> |
| </head> |
| <body> |
| </body> |
| </html> |