content/base/test/csp/file_CSP_bug885433_blocks.html@b8a032363ba2
content/base/test/csp/file_CSP_bug885433_blocks.html
Thu, 22 Jan 2015 13:21:57 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 22 Jan 2015 13:21:57 +0100
- branch
- TOR_BUG_9701
- changeset 15
- b8a032363ba2
- permissions
- -rw-r--r--
Incorporate requested changes from Mozilla in review:
https://bugzilla.mozilla.org/show_bug.cgi?id=1123480#c6
1 <!doctype html>
2 <!--
3 The Content-Security-Policy header for this file is:
5 Content-Security-Policy: default-src 'self';
7 The Content-Security-Policy header for this file includes the default-src
8 directive, which triggers the default behavior of blocking unsafe-inline and
9 unsafe-eval on scripts, and unsafe-inline on styles.
10 -->
11 <html>
12 <body>
13 <ol>
14 <li id="unsafe-inline-script-blocked">Inline script blocked (this text should be black)</li>
15 <li id="unsafe-eval-script-blocked">Eval script blocked (this text should be black)</li>
16 <li id="unsafe-inline-style-blocked">Inline style blocked (this text should be black)</li>
17 </ol>
19 <script>
20 // Use inline script to set a style attribute
21 document.getElementById("unsafe-inline-script-blocked").style.color = "green";
23 // Use eval to set a style attribute
24 // try/catch is used because CSP causes eval to throw an exception when it
25 // is blocked, which would derail the rest of the tests in this file.
26 try {
27 eval('document.getElementById("unsafe-eval-script-blocked").style.color = "green";');
28 } catch (e) {}
29 </script>
31 <style>
32 li#unsafe-inline-style-blocked {
33 color: green;
34 }
35 </style>
36 </body>
37 </html>
