tenfourfox/testing/web-platform/tests/content-security-policy/object-src/object-src-2_2.html

<!DOCTYPE HTML>
<html>
<head>
    <title>Objects loaded using src attribute of &lt;embed&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</title>
    <meta name=timeout content=long>
    <script src='/resources/testharness.js'></script>
    <script src='/resources/testharnessreport.js'></script>
</head>
<body onLoad="object_loaded()">
    <h1>Objects loaded using src attribute of &lt;embed&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</h1>
    <div id="log"></div>

    <script>
      var relativeMediaURL = "/support/media/flash.swf";
      var pageURL = window.location.toString();
      var temp1 = pageURL.split("//");
      var temp2 = temp1[1].substring (0, temp1[1].lastIndexOf("/object-src/"));
      var mediaURL = "http://www2." + temp2 + relativeMediaURL;
      var htmlStr = "<embed id='flashObject' type='application/x-shockwave-flash' src='" + mediaURL + "' width='200' height='200'></object>";
      document.write (htmlStr);
    </script>

    <script>
      var len = navigator.mimeTypes.length;
      var allTypes = "";
      var flashMimeType = "application/x-shockwave-flash";
      for ( var i=0;i<len;i++ ) {
        allTypes+=navigator.mimeTypes[i].type;
      }

      var hasMimeType = allTypes.indexOf(flashMimeType) != -1;

      <!-- The actual test. -->
      var test1 = async_test("Async SWF load test")

      function object_loaded() {
        var elem = document.getElementById("flashObject");
        var is_loaded = false;
        try {
          <!-- The Flash Player exposes values to JavaScript if a SWF has successfully been loaded. -->
          var pct_loaded = elem.PercentLoaded();
          is_loaded = true;
        } catch (e) {}

        if (hasMimeType) {
          test1.step(function() {assert_false(is_loaded, "External object loaded.")});
          var s = document.createElement('script');
              s.async = true;
              s.defer = true;
              s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=object-src%20%27self%27"
          document.lastChild.appendChild(s);
        } else {
          //test1.step(function() {});
          test1.set_status(test1.NOTRUN, "No Flash Player, cannot run test.");
          test1.phase = test1.phases.HAS_RESULT;
        }
        test1.done();
      }
    </script>
</body>
</html>