1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/file_CSP_bug885433_blocks.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,37 @@
1.4 +<!doctype html>
1.5 +<!--
1.6 +The Content-Security-Policy header for this file is:
1.7 +
1.8 + Content-Security-Policy: default-src 'self';
1.9 +
1.10 +The Content-Security-Policy header for this file includes the default-src
1.11 +directive, which triggers the default behavior of blocking unsafe-inline and
1.12 +unsafe-eval on scripts, and unsafe-inline on styles.
1.13 +-->
1.14 +<html>
1.15 +<body>
1.16 + <ol>
1.17 + <li id="unsafe-inline-script-blocked">Inline script blocked (this text should be black)</li>
1.18 + <li id="unsafe-eval-script-blocked">Eval script blocked (this text should be black)</li>
1.19 + <li id="unsafe-inline-style-blocked">Inline style blocked (this text should be black)</li>
1.20 + </ol>
1.21 +
1.22 + <script>
1.23 + // Use inline script to set a style attribute
1.24 + document.getElementById("unsafe-inline-script-blocked").style.color = "green";
1.25 +
1.26 + // Use eval to set a style attribute
1.27 + // try/catch is used because CSP causes eval to throw an exception when it
1.28 + // is blocked, which would derail the rest of the tests in this file.
1.29 + try {
1.30 + eval('document.getElementById("unsafe-eval-script-blocked").style.color = "green";');
1.31 + } catch (e) {}
1.32 + </script>
1.33 +
1.34 + <style>
1.35 + li#unsafe-inline-style-blocked {
1.36 + color: green;
1.37 + }
1.38 + </style>
1.39 +</body>
1.40 +</html>
