content/base/test/csp/file_CSP_bug885433_allows.html@deefc01c0e14
content/base/test/csp/file_CSP_bug885433_allows.html
Thu, 15 Jan 2015 21:03:48 +0100
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Thu, 15 Jan 2015 21:03:48 +0100
- branch
- TOR_BUG_9701
- changeset 11
- deefc01c0e14
- permissions
- -rw-r--r--
Integrate friendly tips from Tor colleagues to make (or not) 4.5 alpha 3;
This includes removal of overloaded (but unused) methods, and addition of
a overlooked call to DataStruct::SetData(nsISupports, uint32_t, bool.)
1 <!doctype html>
2 <!--
3 The Content-Security-Policy header for this file is:
5 Content-Security-Policy: img-src 'self';
7 It does not include any of the default-src, script-src, or style-src
8 directives. It should allow the use of unsafe-inline and unsafe-eval on
9 scripts, and unsafe-inline on styles, because no directives related to scripts
10 or styles are specified.
11 -->
12 <html>
13 <body>
14 <ol>
15 <li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li>
16 <li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li>
17 <li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li>
18 </ol>
20 <script>
21 // Use inline script to set a style attribute
22 document.getElementById("unsafe-inline-script-allowed").style.color = "green";
24 // Use eval to set a style attribute
25 // try/catch is used because CSP causes eval to throw an exception when it
26 // is blocked, which would derail the rest of the tests in this file.
27 try {
28 eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";');
29 } catch (e) {}
30 </script>
32 <style>
33 li#unsafe-inline-style-allowed {
34 color: green;
35 }
36 </style>
37 </body>
38 </html>
