<!DOCTYPE html>
<head>
<body>
<script>
if (window.testRunner)
testRunner.dumpAsText();
console.log("Clicking a link, pre-policy:");
var clicked = 0;
var a = document.createElement('a')
a.setAttribute('onclick', 'console.log(clicked++ ? \'FAIL: Event handler triggered post-policy.\' : \'PASS: Event handler triggered pre-policy.\')');
a.click();
console.log("Injecting Content-Security-Policy.");
var m = document.createElement('meta');
m.setAttribute('content', 'default-src \'self\'');
m.setAttribute('http-equiv', 'Content-Security-Policy');
document.head.appendChild(m);
console.log("Clicking a link, post-policy:");
a.click();
</script>
<p>This test checks that CSP is evaluated on each call to an inline event handler, even if it's been executed pre-policy. It passes if one 'PASS' and no 'FAIL' messages appear.</p>
</body>
</html>
Codebase Browser
chromium