1.1 --- /dev/null Thu Jan 01 00:00:00 1970 +0000
1.2 +++ b/content/base/test/csp/file_bug886164_5.html Wed Dec 31 06:09:35 2014 +0100
1.3 @@ -0,0 +1,26 @@
1.4 +<!DOCTYPE HTML>
1.5 +<html>
1.6 +<head> <meta charset="utf-8"> </head>
1.7 +<script type="text/javascript">
1.8 + function ok(result, desc) {
1.9 + window.parent.postMessage({ok: result, desc: desc}, "*");
1.10 + }
1.11 +
1.12 + function doStuff() {
1.13 + ok(true, "documents sandboxed with allow-scripts should be able to run inline scripts");
1.14 + }
1.15 +</script>
1.16 +<script src='file_iframe_sandbox_pass.js'></script>
1.17 +<body onLoad='ok(true, "documents sandboxed with allow-scripts should be able to run script from event listeners");doStuff();'>
1.18 + I am sandboxed but with only inline "allow-scripts"
1.19 +
1.20 + <!-- sandbox="allow-scripts" -->
1.21 + <!-- Content-Security-Policy: default-src 'none' 'unsafe-inline'-->
1.22 +
1.23 + <!-- these should be stopped by CSP -->
1.24 + <img src="/tests/content/base/test/csp/file_CSP.sjs?testid=img5_bad&type=img/png" />
1.25 + <img src="http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=img5a_bad&type=img/png"> </img>
1.26 + <script src='/tests/content/base/test/csp/file_CSP.sjs?testid=script5_bad&type=text/javascript'></script>
1.27 + <script src='http://example.org/tests/content/base/test/csp/file_CSP.sjs?testid=script5a_bad&type=text/javascript'></script>
1.28 +</body>
1.29 +</html>
