content-security-policy/unsafe-hashes/javascript_src_allowed-href_blank-script-src-attr.html - external/w3c/web-platform-tests - Git at Google

 <!DOCTYPE HTML>
 <html>
 <head>
     <meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
     'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
     <script src="/resources/testharness.js" nonce="abc"></script>
     <script src="/resources/testharnessreport.js" nonce="abc"></script>
     <script src="support/helper.js" nonce="abc"></script>
 </head>
 <body>
     <script nonce="abc">
     // script-src-attr CSP should not have effects because navigation CSP
     // checks are done against script-src-elem.
     // https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
     runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
     </script>
 </body>
 </html>
	<!DOCTYPE HTML>
	<html>
	<head>
	<meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
	'sha256-N5bidCKdNO1nSPa1G7MdL6S7Y7MKZ7UMIS/40JBMSe4=';">
	<script src="/resources/testharness.js" nonce="abc"></script>
	<script src="/resources/testharnessreport.js" nonce="abc"></script>
	<script src="support/helper.js" nonce="abc"></script>
	</head>
	<body>
	<script nonce="abc">
	// script-src-attr CSP should not have effects because navigation CSP
	// checks are done against script-src-elem.
	// https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
	runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
	</script>
	</body>
	</html>