The Tor Browser / file comparison
comparison: content/base/test/csp/file_CSP_bug885433_allows.html
content/base/test/csp/file_CSP_bug885433_allows.html
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
equal
deleted
inserted
replaced
| -1:000000000000 | 0:278f9c7e6e0f |
|---|---|
| 1 <!doctype html> | |
| 2 <!-- | |
| 3 The Content-Security-Policy header for this file is: | |
| 4 | |
| 5 Content-Security-Policy: img-src 'self'; | |
| 6 | |
| 7 It does not include any of the default-src, script-src, or style-src | |
| 8 directives. It should allow the use of unsafe-inline and unsafe-eval on | |
| 9 scripts, and unsafe-inline on styles, because no directives related to scripts | |
| 10 or styles are specified. | |
| 11 --> | |
| 12 <html> | |
| 13 <body> | |
| 14 <ol> | |
| 15 <li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li> | |
| 16 <li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li> | |
| 17 <li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li> | |
| 18 </ol> | |
| 19 | |
| 20 <script> | |
| 21 // Use inline script to set a style attribute | |
| 22 document.getElementById("unsafe-inline-script-allowed").style.color = "green"; | |
| 23 | |
| 24 // Use eval to set a style attribute | |
| 25 // try/catch is used because CSP causes eval to throw an exception when it | |
| 26 // is blocked, which would derail the rest of the tests in this file. | |
| 27 try { | |
| 28 eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";'); | |
| 29 } catch (e) {} | |
| 30 </script> | |
| 31 | |
| 32 <style> | |
| 33 li#unsafe-inline-style-allowed { | |
| 34 color: green; | |
| 35 } | |
| 36 </style> | |
| 37 </body> | |
| 38 </html> |
