tenfourfox/testing/web-platform/tests/content-security-policy/blink-contrib-2/script-src-wildcards-disallowed.html

<!DOCTYPE html>
<html>
    <head>
    <title>script-src disallowed wildcard use</title>
    <script src="/resources/testharness.js"></script>
    <script src="/resources/testharnessreport.js"></script>
    </head>
    <body>
    <!-- enforcing policy:
script-src 'nonce-nonce' *; connect-src 'self';
-->
    <script nonce="nonce">
        var t1 = async_test('data: URIs should not match *');
        t1.step(function() {
            var script = document.createElement("script");
            script.src = 'data:application/javascript,';
            script.addEventListener('load', t1.step_func(function() {
                assert_unreached('Should not successfully load data URI.');
            }));
            script.addEventListener('error', t1.step_func(function() {
                t1.done();
            }));
            document.head.appendChild(script);
        });

        var t2 = async_test('blob: URIs should not match *');
        t2.step(function() {
            var b = new Blob([''], { type: 'application/javascript' });
            var script = document.createElement('script');
            script.addEventListener('load', t2.step_func(function() {
                assert_unreached('Should not successfully load blob URI.');
            }));
            script.addEventListener('error', t2.step_func(function() {
                t2.done();
            }));

            script.src = URL.createObjectURL(b);
            document.head.appendChild(script);
        });

        var t3 = async_test('filesystem URIs should not match *');
        if (window.webkitRequestFileSystem) {
            window.webkitRequestFileSystem(TEMPORARY, 1024*1024 /*1MB*/, function(fs) {
                fs.root.getFile('fail.js', {create: true}, function(fileEntry) {
                    fileEntry.createWriter(function(fileWriter) {
                        var script = document.createElement('script');

                        script.addEventListener('load', t3.step_func(function() {
                            assert_unreached('Should not successfully load filesystem URI.');
                        }));
                        script.addEventListener('error', t3.step_func(function() {
                            t3.done();
                        }));

                        script.src = fileEntry.toURL('application/javascript');
                        document.body.appendChild(script);
                    });
                });
            });
        } else {
          t3.done();
        }
    </script>
    </body>
</html>