The Tor Browser: content/base/test/csp/file_CSP_bug885433

content/base/test/csp/file_CSP_bug885433_allows.html@b8a032363ba2 (annotated)

Thu, 22 Jan 2015 13:21:57 +0100

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 <!doctype html>
 <!--
 The Content-Security-Policy header for this file is:
   Content-Security-Policy: img-src 'self';
 It does not include any of the default-src, script-src, or style-src
 directives. It should allow the use of unsafe-inline and unsafe-eval on
 scripts, and unsafe-inline on styles, because no directives related to scripts
 or styles are specified.
 -->
 <html>
 <body>
   <ol>
     <li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li>
     <li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li>
     <li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li>
   </ol>
   <script>
     // Use inline script to set a style attribute
     document.getElementById("unsafe-inline-script-allowed").style.color = "green";
     // Use eval to set a style attribute
     // try/catch is used because CSP causes eval to throw an exception when it
     // is blocked, which would derail the rest of the tests  in this file.
     try {
       eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";');
     } catch (e) {}
   </script>
   <style>
     li#unsafe-inline-style-allowed {
       color: green;
     }
   </style>
 </body>
 </html>