content-security-policy/prefetch-src/prefetch-header-blocked-by-default.html - external/w3c/web-platform-tests - Git at Google

 <!DOCTYPE html>
 <html>
 <head>
   <!-- Headers:
     Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'self'; img-src 'self'; style-src 'self'
     Link: </content-security-policy/support/fail.png>;rel=prefetch
   -->
   <script src='/resources/testharness.js'></script>
   <script src='/resources/testharnessreport.js'></script>
   <script src='/content-security-policy/support/testharness-helper.js'></script>
   <script src='/content-security-policy/support/prefetch-helper.js'></script>
   <script>
     async_test(t => {
       let url = window.origin + '/content-security-policy/support/fail.png';
       waitUntilCSPEventForURL(t, url)
         .then(t.step_func_done(e => {
           assert_equals(e.violatedDirective, 'prefetch-src');

           // This assert verifies both that the resource wasn't downloaded
           // when prefetched via `Link` on both this document itself, and
           // on the stylesheet subresource below.
           assert_resource_not_downloaded(t, url);
         }));

         // Load a stylesheet that tries to trigger a prefetch:
         let link = document.createElement('link');
         link.rel = 'stylesheet';
         link.href = '/content-security-policy/support/prefetch-subresource.css';
         document.head.appendChild(link);
     }, 'Prefetch via `Link` header blocked when allowed by default-src');
   </script>
 </head>
 <body>
 </body>
 </html>
	<!DOCTYPE html>
	<html>
	<head>
	<!-- Headers:
	Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'self'; img-src 'self'; style-src 'self'
	Link: </content-security-policy/support/fail.png>;rel=prefetch
	-->
	<script src='/resources/testharness.js'></script>
	<script src='/resources/testharnessreport.js'></script>
	<script src='/content-security-policy/support/testharness-helper.js'></script>
	<script src='/content-security-policy/support/prefetch-helper.js'></script>
	<script>
	async_test(t => {
	let url = window.origin + '/content-security-policy/support/fail.png';
	waitUntilCSPEventForURL(t, url)
	.then(t.step_func_done(e => {
	assert_equals(e.violatedDirective, 'prefetch-src');

	// This assert verifies both that the resource wasn't downloaded
	// when prefetched via `Link` on both this document itself, and
	// on the stylesheet subresource below.
	assert_resource_not_downloaded(t, url);
	}));

	// Load a stylesheet that tries to trigger a prefetch:
	let link = document.createElement('link');
	link.rel = 'stylesheet';
	link.href = '/content-security-policy/support/prefetch-subresource.css';
	document.head.appendChild(link);
	}, 'Prefetch via `Link` header blocked when allowed by default-src');
	</script>
	</head>
	<body>
	</body>
	</html>