1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/file_CSP_bug885433_allows.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,38 @@
1.4 +<!doctype html>
1.5 +<!--
1.6 +The Content-Security-Policy header for this file is:
1.7 +
1.8 + Content-Security-Policy: img-src 'self';
1.9 +
1.10 +It does not include any of the default-src, script-src, or style-src
1.11 +directives. It should allow the use of unsafe-inline and unsafe-eval on
1.12 +scripts, and unsafe-inline on styles, because no directives related to scripts
1.13 +or styles are specified.
1.14 +-->
1.15 +<html>
1.16 +<body>
1.17 + <ol>
1.18 + <li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li>
1.19 + <li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li>
1.20 + <li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li>
1.21 + </ol>
1.22 +
1.23 + <script>
1.24 + // Use inline script to set a style attribute
1.25 + document.getElementById("unsafe-inline-script-allowed").style.color = "green";
1.26 +
1.27 + // Use eval to set a style attribute
1.28 + // try/catch is used because CSP causes eval to throw an exception when it
1.29 + // is blocked, which would derail the rest of the tests in this file.
1.30 + try {
1.31 + eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";');
1.32 + } catch (e) {}
1.33 + </script>
1.34 +
1.35 + <style>
1.36 + li#unsafe-inline-style-allowed {
1.37 + color: green;
1.38 + }
1.39 + </style>
1.40 +</body>
1.41 +</html>
