| <!DOCTYPE html> |
| <html> |
| <head> |
| <!-- Headers: |
| Content-Security-Policy: default-src 'none'; script-src 'unsafe-inline' 'self'; img-src 'self'; style-src 'self' |
| Link: </content-security-policy/support/fail.png>;rel=prefetch |
| --> |
| <script src='/resources/testharness.js'></script> |
| <script src='/resources/testharnessreport.js'></script> |
| <script src='/content-security-policy/support/testharness-helper.js'></script> |
| <script src='/content-security-policy/support/prefetch-helper.js'></script> |
| <script> |
| async_test(t => { |
| let url = window.origin + '/content-security-policy/support/fail.png'; |
| waitUntilCSPEventForURL(t, url) |
| .then(t.step_func_done(e => { |
| assert_equals(e.violatedDirective, 'prefetch-src'); |
| |
| // This assert verifies both that the resource wasn't downloaded |
| // when prefetched via `Link` on both this document itself, and |
| // on the stylesheet subresource below. |
| assert_resource_not_downloaded(t, url); |
| })); |
| |
| // Load a stylesheet that tries to trigger a prefetch: |
| let link = document.createElement('link'); |
| link.rel = 'stylesheet'; |
| link.href = '/content-security-policy/support/prefetch-subresource.css'; |
| document.head.appendChild(link); |
| }, 'Prefetch via `Link` header blocked when allowed by default-src'); |
| </script> |
| </head> |
| <body> |
| </body> |
| </html> |
| |
| |