The Tor Browser / file comparison
comparison: content/base/test/csp/file_CSP_bug885433_blocks.html
content/base/test/csp/file_CSP_bug885433_blocks.html
- changeset 0
- 6474c204b198
equal
deleted
inserted
replaced
| -1:000000000000 | 0:b773aced1249 |
|---|---|
| 1 <!doctype html> | |
| 2 <!-- | |
| 3 The Content-Security-Policy header for this file is: | |
| 4 | |
| 5 Content-Security-Policy: default-src 'self'; | |
| 6 | |
| 7 The Content-Security-Policy header for this file includes the default-src | |
| 8 directive, which triggers the default behavior of blocking unsafe-inline and | |
| 9 unsafe-eval on scripts, and unsafe-inline on styles. | |
| 10 --> | |
| 11 <html> | |
| 12 <body> | |
| 13 <ol> | |
| 14 <li id="unsafe-inline-script-blocked">Inline script blocked (this text should be black)</li> | |
| 15 <li id="unsafe-eval-script-blocked">Eval script blocked (this text should be black)</li> | |
| 16 <li id="unsafe-inline-style-blocked">Inline style blocked (this text should be black)</li> | |
| 17 </ol> | |
| 18 | |
| 19 <script> | |
| 20 // Use inline script to set a style attribute | |
| 21 document.getElementById("unsafe-inline-script-blocked").style.color = "green"; | |
| 22 | |
| 23 // Use eval to set a style attribute | |
| 24 // try/catch is used because CSP causes eval to throw an exception when it | |
| 25 // is blocked, which would derail the rest of the tests in this file. | |
| 26 try { | |
| 27 eval('document.getElementById("unsafe-eval-script-blocked").style.color = "green";'); | |
| 28 } catch (e) {} | |
| 29 </script> | |
| 30 | |
| 31 <style> | |
| 32 li#unsafe-inline-style-blocked { | |
| 33 color: green; | |
| 34 } | |
| 35 </style> | |
| 36 </body> | |
| 37 </html> |
