third_party/web_platform_tests/content-security-policy/object-src/object-src-2_1.html - cobalt - Git at Google

 <!DOCTYPE HTML>
 <html>

 <head>
     <title>Objects loaded using data attribute of &lt;object&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</title>
     <meta name=timeout content=long>
     <script src='/resources/testharness.js'></script>
     <script src='/resources/testharnessreport.js'></script>
 </head>

 <body onLoad="object_loaded()">
     <h1>Objects loaded using data attribute of &lt;object&gt; tag are blocked unless their host is listed as an allowed source in the object-src directive</h1>
     <div id="log"></div>

     <script>
         var relativeMediaURL = "/support/media/flash.swf";
         var pageURL = window.location.toString();
         var temp1 = pageURL.split("//");
         var temp2 = temp1[1].substring(0, temp1[1].lastIndexOf("/object-src/"));
         var mediaURL = "http://www2." + temp2 + relativeMediaURL;
         var htmlStr = "<object id='flashObject' type='application/x-shockwave-flash' data='" + mediaURL + "' width='200' height='200'></object>";
         document.write(htmlStr);
     </script>

     <script>
         var len = navigator.mimeTypes.length;
         var allTypes = "";
         var flashMimeType = "application/x-shockwave-flash";
         for (var i = 0; i < len; i++) {
             allTypes += navigator.mimeTypes[i].type;
         }

         var hasMimeType = allTypes.indexOf(flashMimeType) != -1;

         <!-- The actual test. -->
         var test1 = async_test("Async SWF load test")

         function object_loaded() {
             var elem = document.getElementById("flashObject");
             var is_loaded = false;
             try {
                 <!-- The Flash Player exposes values to JavaScript if a SWF has successfully been loaded. -->
                 var pct_loaded = elem.PercentLoaded();
                 is_loaded = true;
             } catch (e) {}

             if (hasMimeType) {
                 test1.step(function () {
                     assert_false(is_loaded, "External object loaded.")
                 });
                 var s = document.createElement('script');
                 s.async = true;
                 s.defer = true;
                 s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=object-src%20%27self%27"
                 document.lastChild.appendChild(s);
             } else {
                 test1.set_status(test1.NOTRUN, "No Flash Player, cannot run test.");
                 test1.phase = test1.phases.HAS_RESULT;
             }
             test1.done();
         }
     </script>

 </body>

 </html>
	<!DOCTYPE HTML>
	<html>

	<head>
	<title>Objects loaded using data attribute of <object> tag are blocked unless their host is listed as an allowed source in the object-src directive</title>
	<meta name=timeout content=long>
	<script src='/resources/testharness.js'></script>
	<script src='/resources/testharnessreport.js'></script>
	</head>

	<body onLoad="object_loaded()">
	<h1>Objects loaded using data attribute of <object> tag are blocked unless their host is listed as an allowed source in the object-src directive</h1>
	<div id="log"></div>

	<script>
	var relativeMediaURL = "/support/media/flash.swf";
	var pageURL = window.location.toString();
	var temp1 = pageURL.split("//");
	var temp2 = temp1[1].substring(0, temp1[1].lastIndexOf("/object-src/"));
	var mediaURL = "http://www2." + temp2 + relativeMediaURL;
	var htmlStr = "<object id='flashObject' type='application/x-shockwave-flash' data='" + mediaURL + "' width='200' height='200'></object>";
	document.write(htmlStr);
	</script>

	<script>
	var len = navigator.mimeTypes.length;
	var allTypes = "";
	var flashMimeType = "application/x-shockwave-flash";
	for (var i = 0; i < len; i++) {
	allTypes += navigator.mimeTypes[i].type;
	}

	var hasMimeType = allTypes.indexOf(flashMimeType) != -1;

	<!-- The actual test. -->
	var test1 = async_test("Async SWF load test")

	function object_loaded() {
	var elem = document.getElementById("flashObject");
	var is_loaded = false;
	try {
	<!-- The Flash Player exposes values to JavaScript if a SWF has successfully been loaded. -->
	var pct_loaded = elem.PercentLoaded();
	is_loaded = true;
	} catch (e) {}

	if (hasMimeType) {
	test1.step(function () {
	assert_false(is_loaded, "External object loaded.")
	});
	var s = document.createElement('script');
	s.async = true;
	s.defer = true;
	s.src = "../support/checkReport.sub.js?reportField=violated-directive&reportValue=object-src%20%27self%27"
	document.lastChild.appendChild(s);
	} else {
	test1.set_status(test1.NOTRUN, "No Flash Player, cannot run test.");
	test1.phase = test1.phases.HAS_RESULT;
	}
	test1.done();
	}
	</script>

	</body>

	</html>