mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-12-27 05:30:25 +00:00
39 lines
1.2 KiB
HTML
39 lines
1.2 KiB
HTML
|
<!doctype html>
|
||
|
<!--
|
||
|
The Content-Security-Policy header for this file is:
|
||
|
|
||
|
Content-Security-Policy: img-src 'self';
|
||
|
|
||
|
It does not include any of the default-src, script-src, or style-src
|
||
|
directives. It should allow the use of unsafe-inline and unsafe-eval on
|
||
|
scripts, and unsafe-inline on styles, because no directives related to scripts
|
||
|
or styles are specified.
|
||
|
-->
|
||
|
<html>
|
||
|
<body>
|
||
|
<ol>
|
||
|
<li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li>
|
||
|
<li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li>
|
||
|
<li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li>
|
||
|
</ol>
|
||
|
|
||
|
<script>
|
||
|
// Use inline script to set a style attribute
|
||
|
document.getElementById("unsafe-inline-script-allowed").style.color = "green";
|
||
|
|
||
|
// Use eval to set a style attribute
|
||
|
// try/catch is used because CSP causes eval to throw an exception when it
|
||
|
// is blocked, which would derail the rest of the tests in this file.
|
||
|
try {
|
||
|
eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";');
|
||
|
} catch (e) {}
|
||
|
</script>
|
||
|
|
||
|
<style>
|
||
|
li#unsafe-inline-style-allowed {
|
||
|
color: green;
|
||
|
}
|
||
|
</style>
|
||
|
</body>
|
||
|
</html>
|