Source code
Revision control
Copy as Markdown
Other Tools
Test Info:
- This WPT test may be referenced by the following Test IDs:
- /fetch/corb/script-js-mislabeled-as-html-nosniff.sub.html - WPT Dashboard Interop Dashboard
<!DOCTYPE html>
<!-- Test verifies that script mislabeled as html won't execute with and without CORB
if the nosniff response header is present.
The expected behavior is covered by the Fetch spec at
See also the following tests:
- fetch/nosniff/importscripts.html
- fetch/nosniff/script.html
- fetch/nosniff/worker.html
-->
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<div id=log></div>
<script>
setup({ single_test: true });
window.has_executed_script = false;
</script>
<!-- www1 is cross-origin, so the HTTP response is CORB-eligible -->
<script src="http://{{domains[www1]}}:{{ports[http][0]}}/fetch/corb/resources/js-mislabeled-as-html-nosniff.js">
</script>
<script>
// Verify what observable effects the <script> tag above had.
// Assertion should hold with and without CORB:
assert_false(window.has_executed_script,
'The cross-origin script should not be executed');
done();
</script>