summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/file_bug885433_blocks.html
blob: 2279b33e460e8c7d16901d64a921e3d9ea7ff55a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
<!doctype html>
<!--
The Content-Security-Policy header for this file is:

  Content-Security-Policy: default-src 'self';

The Content-Security-Policy header for this file includes the default-src
directive, which triggers the default behavior of blocking unsafe-inline and
unsafe-eval on scripts, and unsafe-inline on styles.
-->
<html>
<body>
  <ol>
    <li id="unsafe-inline-script-blocked">Inline script blocked (this text should be black)</li>
    <li id="unsafe-eval-script-blocked">Eval script blocked (this text should be black)</li>
    <li id="unsafe-inline-style-blocked">Inline style blocked (this text should be black)</li>
  </ol>

  <script>
    // Use inline script to set a style attribute
    document.getElementById("unsafe-inline-script-blocked").style.color = "green";

    // Use eval to set a style attribute
    // try/catch is used because CSP causes eval to throw an exception when it
    // is blocked, which would derail the rest of the tests  in this file.
    try {
      eval('document.getElementById("unsafe-eval-script-blocked").style.color = "green";');
    } catch (e) {}
  </script>

  <style>
    li#unsafe-inline-style-blocked {
      color: green;
    }
  </style>
</body>
</html>