file_bug885433_blocks.html (1262B)
1 <!doctype html> 2 <!-- 3 The Content-Security-Policy header for this file is: 4 5 Content-Security-Policy: default-src 'self'; 6 7 The Content-Security-Policy header for this file includes the default-src 8 directive, which triggers the default behavior of blocking unsafe-inline and 9 unsafe-eval on scripts, and unsafe-inline on styles. 10 --> 11 <html> 12 <body> 13 <ol> 14 <li id="unsafe-inline-script-blocked">Inline script blocked (this text should be black)</li> 15 <li id="unsafe-eval-script-blocked">Eval script blocked (this text should be black)</li> 16 <li id="unsafe-inline-style-blocked">Inline style blocked (this text should be black)</li> 17 </ol> 18 19 <script> 20 // Use inline script to set a style attribute 21 document.getElementById("unsafe-inline-script-blocked").style.color = "green"; 22 23 // Use eval to set a style attribute 24 // try/catch is used because CSP causes eval to throw an exception when it 25 // is blocked, which would derail the rest of the tests in this file. 26 try { 27 // eslint-disable-next-line no-eval 28 eval('document.getElementById("unsafe-eval-script-blocked").style.color = "green";'); 29 } catch (e) {} 30 </script> 31 32 <style> 33 li#unsafe-inline-style-blocked { 34 color: green; 35 } 36 </style> 37 </body> 38 </html>