<html>
  <head>
    <link rel='stylesheet' type='text/css'
          href='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=style_bad&type=text/css' />
    <link rel='stylesheet' type='text/css'
          href='file_CSP.sjs?testid=style_good&type=text/css' />


    <style>
      /* CSS font embedding tests */
      @font-face {
        font-family: "arbitrary_good";
        src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream');
      }
      @font-face {
        font-family: "arbitrary_bad";
        src: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream');
      }

      .div_arbitrary_good { font-family: "arbitrary_good"; }
      .div_arbitrary_bad { font-family: "arbitrary_bad"; }
    </style>
  </head>
  <body>
    <!-- these should be stopped by CSP.  :) -->
    <img src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=img_bad&type=img/png"> </img>
    <audio src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=media_bad&type=audio/vorbis"></audio>
    <script src='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=script_bad&type=text/javascript'></script>
    <iframe src='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=frame_bad&content=FAIL'></iframe>
    <object width="10" height="10">
      <param name="movie" value="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash">
      <embed src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash"></embed>
    </object>

    <!-- these should load ok.  :) -->
    <img src="file_CSP.sjs?testid=img_good&type=img/png" />
    <audio src="file_CSP.sjs?testid=media_good&type=audio/vorbis"></audio>
    <script src='file_CSP.sjs?testid=script_good&type=text/javascript'></script>
    <iframe src='file_CSP.sjs?testid=frame_good&content=PASS'></iframe>

    <object width="10" height="10">
      <param name="movie" value="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash">
      <embed src="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash"></embed>
    </object>

    <!-- XHR tests... they're taken care of in this script,
         and since the URI doesn't have any 'testid' values,
         it will just be ignored by the test framework.  -->
    <script src='file_main.js'></script>

    <!-- Support elements for the @font-face test -->
    <div class="div_arbitrary_good">arbitrary good</div>
    <div class="div_arbitrary_bad">arbitrary_bad</div>
  </body>
</html>