<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Security-Policy" content="script-src-attr 'unsafe-hashes' 'nonce-abc'
'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro=';">
<script src="/resources/testharness.js" nonce="abc"></script>
<script src="/resources/testharnessreport.js" nonce="abc"></script>
<script src="support/helper.js" nonce="abc"></script>
</head>
<body>
<script nonce="abc">
// script-src-attr CSP should not have effects because navigation CSP
// checks are done against script-src-elem.
// https://w3c.github.io/webappsec-csp/#effective-directive-for-inline-check
runTest(true, '<a href target=_blank>', ' (script-src-attr should not be used)');
</script>
</body>
</html>