diff options
Diffstat (limited to 'dom/security/test/csp/file_bug885433_allows.html')
-rw-r--r-- | dom/security/test/csp/file_bug885433_allows.html | 38 |
1 files changed, 38 insertions, 0 deletions
diff --git a/dom/security/test/csp/file_bug885433_allows.html b/dom/security/test/csp/file_bug885433_allows.html new file mode 100644 index 0000000000..5d7aacbda4 --- /dev/null +++ b/dom/security/test/csp/file_bug885433_allows.html @@ -0,0 +1,38 @@ +<!doctype html> +<!-- +The Content-Security-Policy header for this file is: + + Content-Security-Policy: img-src 'self'; + +It does not include any of the default-src, script-src, or style-src +directives. It should allow the use of unsafe-inline and unsafe-eval on +scripts, and unsafe-inline on styles, because no directives related to scripts +or styles are specified. +--> +<html> +<body> + <ol> + <li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li> + <li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li> + <li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li> + </ol> + + <script> + // Use inline script to set a style attribute + document.getElementById("unsafe-inline-script-allowed").style.color = "green"; + + // Use eval to set a style attribute + // try/catch is used because CSP causes eval to throw an exception when it + // is blocked, which would derail the rest of the tests in this file. + try { + eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";'); + } catch (e) {} + </script> + + <style> + li#unsafe-inline-style-allowed { + color: green; + } + </style> +</body> +</html> |