The Tor Browser: content/base/test/csp/file_CSP_bug885433

content/base/test/csp/file_CSP_bug885433_blocks.html@b8a032363ba2 (annotated)

Thu, 22 Jan 2015 13:21:57 +0100

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

 <!doctype html>
 <!--
 The Content-Security-Policy header for this file is:
   Content-Security-Policy: default-src 'self';
 The Content-Security-Policy header for this file includes the default-src
 directive, which triggers the default behavior of blocking unsafe-inline and
 unsafe-eval on scripts, and unsafe-inline on styles.
 -->
 <html>
 <body>
   <ol>
     <li id="unsafe-inline-script-blocked">Inline script blocked (this text should be black)</li>
     <li id="unsafe-eval-script-blocked">Eval script blocked (this text should be black)</li>
     <li id="unsafe-inline-style-blocked">Inline style blocked (this text should be black)</li>
   </ol>
   <script>
     // Use inline script to set a style attribute
     document.getElementById("unsafe-inline-script-blocked").style.color = "green";
     // Use eval to set a style attribute
     // try/catch is used because CSP causes eval to throw an exception when it
     // is blocked, which would derail the rest of the tests  in this file.
     try {
       eval('document.getElementById("unsafe-eval-script-blocked").style.color = "green";');
     } catch (e) {}
   </script>
   <style>
     li#unsafe-inline-style-blocked {
       color: green;
     }
   </style>
 </body>
 </html>