<html> <head> <link rel='stylesheet' type='text/css' href='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=style_bad&type=text/css' /> <link rel='stylesheet' type='text/css' href='file_CSP.sjs?testid=style_good&type=text/css' /> <style> /* CSS font embedding tests */ @font-face { font-family: "arbitrary_good"; src: url('file_CSP.sjs?testid=font_good&type=application/octet-stream'); } @font-face { font-family: "arbitrary_bad"; src: url('http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=font_bad&type=application/octet-stream'); } .div_arbitrary_good { font-family: "arbitrary_good"; } .div_arbitrary_bad { font-family: "arbitrary_bad"; } </style> </head> <body> <!-- these should be stopped by CSP. :) --> <img src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=img_bad&type=img/png"> </img> <audio src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=media_bad&type=audio/vorbis"></audio> <script src='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=script_bad&type=text/javascript'></script> <iframe src='http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=frame_bad&content=FAIL'></iframe> <object width="10" height="10"> <param name="movie" value="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash"> <embed src="http://example.org/tests/dom/security/test/csp/file_CSP.sjs?testid=object_bad&type=application/x-shockwave-flash"></embed> </object> <!-- these should load ok. :) --> <img src="file_CSP.sjs?testid=img_good&type=img/png" /> <audio src="file_CSP.sjs?testid=media_good&type=audio/vorbis"></audio> <script src='file_CSP.sjs?testid=script_good&type=text/javascript'></script> <iframe src='file_CSP.sjs?testid=frame_good&content=PASS'></iframe> <object width="10" height="10"> <param name="movie" value="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash"> <embed src="file_CSP.sjs?testid=object_good&type=application/x-shockwave-flash"></embed> </object> <!-- XHR tests... they're taken care of in this script, and since the URI doesn't have any 'testid' values, it will just be ignored by the test framework. --> <script src='file_main.js'></script> <!-- Support elements for the @font-face test --> <div class="div_arbitrary_good">arbitrary good</div> <div class="div_arbitrary_bad">arbitrary_bad</div> </body> </html>