content/base/test/csp/file_CSP_bug885433_allows.html@b8a032363ba2
content/base/test/csp/file_CSP_bug885433_allows.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 <!doctype html>
2 <!--
3 The Content-Security-Policy header for this file is:
5 Content-Security-Policy: img-src 'self';
7 It does not include any of the default-src, script-src, or style-src
8 directives. It should allow the use of unsafe-inline and unsafe-eval on
9 scripts, and unsafe-inline on styles, because no directives related to scripts
10 or styles are specified.
11 -->
12 <html>
13 <body>
14 <ol>
15 <li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li>
16 <li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li>
17 <li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li>
18 </ol>
20 <script>
21 // Use inline script to set a style attribute
22 document.getElementById("unsafe-inline-script-allowed").style.color = "green";
24 // Use eval to set a style attribute
25 // try/catch is used because CSP causes eval to throw an exception when it
26 // is blocked, which would derail the rest of the tests in this file.
27 try {
28 eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";');
29 } catch (e) {}
30 </script>
32 <style>
33 li#unsafe-inline-style-allowed {
34 color: green;
35 }
36 </style>
37 </body>
38 </html>
