file_bug885433_allows.html (1299B)
1 <!doctype html> 2 <!-- 3 The Content-Security-Policy header for this file is: 4 5 Content-Security-Policy: img-src 'self'; 6 7 It does not include any of the default-src, script-src, or style-src 8 directives. It should allow the use of unsafe-inline and unsafe-eval on 9 scripts, and unsafe-inline on styles, because no directives related to scripts 10 or styles are specified. 11 --> 12 <html> 13 <body> 14 <ol> 15 <li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li> 16 <li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li> 17 <li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li> 18 </ol> 19 20 <script> 21 // Use inline script to set a style attribute 22 document.getElementById("unsafe-inline-script-allowed").style.color = "green"; 23 24 // Use eval to set a style attribute 25 // try/catch is used because CSP causes eval to throw an exception when it 26 // is blocked, which would derail the rest of the tests in this file. 27 try { 28 // eslint-disable-next-line no-eval 29 eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";'); 30 } catch (e) {} 31 </script> 32 33 <style> 34 li#unsafe-inline-style-allowed { 35 color: green; 36 } 37 </style> 38 </body> 39 </html>