Content-Type & Nosniff Ignored on XML External Entity Resources
[WebKit-https.git] / LayoutTests / http / tests / security / contentTypeOptions / nosniff-xml-external-entity.xhtml
1 <?xml version="1.0" encoding="UTF-8"?>
2 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
3         "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"
4 [
5 <!ENTITY entA SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml">
6 <!ENTITY entB SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xml">
7 <!ENTITY entC SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/xml-external-parsed-entity">
8 <!ENTITY entD SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/xml-external-parsed-entity">
9 <!ENTITY entE SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=application/pdf">
10 <!ENTITY entF SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/html">
11 <!ENTITY entG SYSTEM "http://127.0.0.1:8000/security/contentTypeOptions/resources/script-with-header.pl?mime=text/javascript">
12 ]>
13 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
14 <head>
15     <title>'X-Content-Type-Options: nosniff' blocks xml external entity resources with improper MIME type</title>
16     <script src="/js-test-resources/js-test-pre.js"></script>
17     <script type="text/javascript">
18         window.jsTestIsAsync = true;
19         window.scriptsSuccessfullyLoaded = 0;
20
21         window.onload = function () {
22             shouldBe('window.scriptsSuccessfullyLoaded', '4');
23             finishJSTest();
24         };
25     </script>
26     <script type="text/javascript">&entA;</script>
27     <script type="text/javascript">&entB;</script>
28     <script type="text/javascript">&entC;</script>
29     <script type="text/javascript">&entD;</script>
30     <script type="text/javascript">&entE;</script>
31     <script type="text/javascript">&entF;</script>
32     <script type="text/javascript">&entG;</script>
33 </head>
34 <body>
35     <script type="text/javascript">
36         description('Check that xml external entity resources loaded with an \'X-Content-Type-Options: nosniff\' header are correctly accepted or blocked based on the MIME type.');
37     </script>
38     <script src="/js-test-resources/js-test-post.js"></script>
39 </body>
40 </html>