tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

script-src-elem-blocked-attr-allowed.html (919B)

      1 <!DOCTYPE html>
      2 <html>
      3 
      4 <head>
      5    <meta http-equiv="Content-Security-Policy" content="script-src-elem 'nonce-abc' 'self';
      6    script-src-attr 'unsafe-inline'">
      7    <script src="/resources/testharness.js"></script>
      8    <script src="/resources/testharnessreport.js"></script>
      9 </head>
     10 
     11 <body>
     12    <script nonce='abc'>
     13      var t = async_test("Should fire a security policy violation for the attribute");
     14      window.addEventListener('securitypolicyviolation', t.step_func_done(function(e) {
     15        assert_equals(e.violatedDirective, 'script-src-elem');
     16        assert_equals(e.blockedURI, 'inline');
     17      }));
     18 
     19      var t1 = async_test("Should execute the inline script attribute");
     20    </script>
     21 
     22    <script>
     23      t.step_func(function() {
     24        assert_unreached("Should not have executed the inline script block");
     25      })
     26    </script>
     27 
     28    <img src="../support/pass.png" onload="t1.done()">
     29 </body>
     30 
     31 </html>