<!DOCTYPE HTML>
<html>
<head>
<title>A report-only policy that does not allow a script should not affect an enforcing policy using hashes.</title>
<!-- nonces are here just to let all of our scripts run -->
<script nonce="abc" src='/resources/testharness.js'></script>
<script nonce="abc" src='/resources/testharnessreport.js'></script>
</head>
<body>
<script nonce="abc">
var t = async_test("Test that script executes if allowed by proper hash values");
var t_spv = async_test("Test that the securitypolicyviolation event is fired");
document.addEventListener("securitypolicyviolation", t_spv.step_func_done(function(e) {
assert_equals(e.violatedDirective, "script-src-elem");
assert_equals(e.disposition, "report");
assert_equals(e.blockedURI, "inline");
}));
var executed = false;
</script>
<!-- test will fail if this script is not allowed to run -->
<script>executed = true;</script>
<script nonce="abc">
t.step(function() {
assert_true(executed);
t.done();
});
</script>
</body>
</html>
Codebase Browser
chromium