• file
• revisions
• annotate
• diff
• comparison
• raw

content/base/test/csp/file_bug886164_5.html@b8a032363ba2 (annotated)

content/base/test/csp/file_bug886164_5.html

Thu, 22 Jan 2015 13:21:57 +0100

author

Michael Schloh von Bennewitz <michael@schloh.com>

date

Thu, 22 Jan 2015 13:21:57 +0100

branch

TOR_BUG_9701

changeset 15

b8a032363ba2

permissions

-rw-r--r--

Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6

michael@0	1	<!DOCTYPE HTML>
michael@0	2	<html>
michael@0	3	<head> <meta charset="utf-8"> </head>
michael@0	4	<script type="text/javascript">
michael@0	5	function ok(result, desc) {
michael@0	6	window.parent.postMessage({ok: result, desc: desc}, "*");
michael@0	7	}
michael@0	8
michael@0	9	function doStuff() {
michael@0	10	ok(true, "documents sandboxed with allow-scripts should be able to run inline scripts");
michael@0	11	}
michael@0	12	</script>
michael@0	13	<script src='file_iframe_sandbox_pass.js'></script>
michael@0	14	<body onLoad='ok(true, "documents sandboxed with allow-scripts should be able to run script from event listeners");doStuff();'>
michael@0	15	I am sandboxed but with only inline "allow-scripts"
michael@0	16
michael@0	17	<!-- sandbox="allow-scripts" -->
michael@0	18	<!-- Content-Security-Policy: default-src 'none' 'unsafe-inline'-->
michael@0	19
michael@0	20	<!-- these should be stopped by CSP -->
michael@0	21	<img src="/tests/content/base/test/csp/file_CSP.sjs?testid=img5_bad&type=img/png" />
michael@0	22	<img src="http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=img5a_bad&type=img/png"> </img>
michael@0	23	<script src='/tests/content/base/test/csp/file_CSP.sjs?testid=script5_bad&type=text/javascript'></script>
michael@0	24	<script src='http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=script5a_bad&type=text/javascript'></script>
michael@0	25	</body>
michael@0	26	</html>