<!DOCTYPE html>
<html>
<head>
<title>'X-Content-Type-Options: nosniff;' blocks scripts!</title>
<body>
<script src="/js-test-resources/js-test.js"></script>
<script>
description('Check that script sent with an \'X-Content-Type-Options: nosniff\' header is correctly blocked if the MIME type isn\'t scripty.');
window.jsTestIsAsync = true;
window.scriptsSuccessfullyLoaded = 0;
var s = document.createElement('script');
s.src = './resources/script-with-header.pl?mime=application/json';
document.querySelector('head').appendChild(s);
window.onload = function () {
shouldBe('window.scriptsSuccessfullyLoaded', '0');
finishJSTest();
};
</script>
</body>
</html>
Codebase Browser
chromium