content/base/test/csp/file_CSP_bug885433_allows.html@6474c204b198
content/base/test/csp/file_CSP_bug885433_allows.html
Wed, 31 Dec 2014 06:09:35 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 31 Dec 2014 06:09:35 +0100
- changeset 0
- 6474c204b198
- permissions
- -rw-r--r--
Cloned upstream origin tor-browser at tor-browser-31.3.0esr-4.5-1-build1
revision ID fc1c9ff7c1b2defdbc039f12214767608f46423f for hacking purpose.
1 <!doctype html>
2 <!--
3 The Content-Security-Policy header for this file is:
5 Content-Security-Policy: img-src 'self';
7 It does not include any of the default-src, script-src, or style-src
8 directives. It should allow the use of unsafe-inline and unsafe-eval on
9 scripts, and unsafe-inline on styles, because no directives related to scripts
10 or styles are specified.
11 -->
12 <html>
13 <body>
14 <ol>
15 <li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li>
16 <li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li>
17 <li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li>
18 </ol>
20 <script>
21 // Use inline script to set a style attribute
22 document.getElementById("unsafe-inline-script-allowed").style.color = "green";
24 // Use eval to set a style attribute
25 // try/catch is used because CSP causes eval to throw an exception when it
26 // is blocked, which would derail the rest of the tests in this file.
27 try {
28 eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";');
29 } catch (e) {}
30 </script>
32 <style>
33 li#unsafe-inline-style-allowed {
34 color: green;
35 }
36 </style>
37 </body>
38 </html>
