invalid-characters-in-policy.html

Enable keyboard shortcuts

This WPT test may be referenced by the following Test IDs:
- /content-security-policy/generic/invalid-characters-in-policy.html - WPT Dashboard Interop Dashboard

<!DOCTYPE HTML>

<html>

<head>

    <script src='/resources/testharness.js'></script>

    <script src='/resources/testharnessreport.js'></script>

</head>

<body>

  <script>

    var tests = [

      // Make sure that csp works properly in normal situations

        "csp": "",

        "expected": true,

        "name": "Should load image without any CSP",

},

        "csp": "img-src 'none';",

        "expected": false,

        "name": "Should not load image with 'none' CSP",

},

      // Now test with non-ASCII characters.

        "csp": "img-src 'none' \u00A1invalid-source; style-src 'none'",

        "expected": true,

        "name": "Non-ASCII character in directive value should drop the whole directive.",

},

        "csp": "img-src ‘none’;",

        "expected": true,

        "name": "Non-ASCII quote character in directive value should drop the whole directive.",

},

        "csp": "img-src 'none'; style-src \u00A1invalid-source 'none'",

        "expected": false,

        "name": "Non-ASCII character in directive value should not affect other directives.",

},

        "csp": "img-src 'none'; style\u00A1-src 'none'",

        "expected": false,

        "name": "Non-ASCII character in directive name should not affect other directives.",

},

];

    tests.forEach(test => {

      async_test(t => {

        var url = "support/load_img_and_post_result_meta.sub.html?csp="

            + encodeURIComponent(test.csp);

        test_image_loads_as_expected(test, t, url);

      }, test.name + " - meta tag");

      async_test(t => {

        var url = "support/load_img_and_post_result_header.html?csp="

            + encodeURIComponent(test.csp);

        test_image_loads_as_expected(test, t, url);

      }, test.name + " - HTTP header");

});

    function test_image_loads_as_expected(test, t, url) {

      var i = document.createElement('iframe');

      i.src = url;

      window.addEventListener('message', t.step_func(function(e) {

        if (e.source != i.contentWindow) return;

        if (test.expected) {

          assert_equals(e.data, "img loaded");

        } else {

          assert_equals(e.data, "img not loaded");

        t.done();

      }));

      document.body.appendChild(i);

  </script>

</body>

</html>