1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/file_CSP_inlinescript_main.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,20 @@
1.4 +<!--
1.5 +-- The original CSP implementation predates the CSP 1.0 spec and didn't
1.6 +-- block inline styles, so when the prefixed X-Content-Security-Policy header is used,
1.7 +-- as it is for this file, inline styles should be allowed.
1.8 +-->
1.9 +<html>
1.10 + <head>
1.11 + <title>CSP inline script tests</title>
1.12 + </head>
1.13 + <body onload="window.parent.scriptRan(false, 'eventattr', 'event attribute in body tag fired')">
1.14 +
1.15 + <script type="text/javascript">
1.16 + window.parent.scriptRan(false, "textnode", "text node in a script tag executed.");
1.17 + </script>
1.18 +
1.19 + <iframe src='javascript:window.parent.parent.scriptRan(false, "jsuri", "javascript: uri in image tag")'></iframe>
1.20 +
1.21 + <a id='anchortoclick' href='javascript:window.parent.scriptRan(false, "jsuri", "javascript: uri in anchor tag ran when clicked.");'>stuff</a>
1.22 + </body>
1.23 +</html>
