part 5) Provoke a CSP violation for object-src 'none' with "video/m…

…p4" and dummy data instead of with the flash plugin in <trusted-types-reporting.html>. The spec (https://w3c.github.io/webappsec-csp/#object-src) doesn't specify for which types a default plugin is loaded. Moreover, it doesn't specify the behavior when plugin content can *not* be loaded. This patch increases web-compatibility, because it provokes a CSP violation for Gecko/Firefox too. Differential Revision: https://phabricator.services.mozilla.com/D215363 bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1901510 gecko-commit: e68da2d23a8e7266701e94dc87e4158cf66c93ca gecko-reviewers: tschuster
web-platform-tests · Jul 3, 2024 · 5dae272 · 5dae272
1 parent 60939fe
commit 5dae272
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/trusted-types/trusted-types-reporting.html b/trusted-types/trusted-types-reporting.html
@@ -89,7 +89,8 @@
   function flush() {
    expect_throws(_ => {
       var o = document.createElement('object');
-      o.type = "application/x-shockwave-flash";
+      o.type = "video/mp4";
+      o.data = "dummy.webm";
       document.body.appendChild(o);
     });
   }