script-style-attribute-csp.html (860B)
1 <!doctype html> 2 <meta charset="UTF-8"> 3 <!-- 4 Allow scripts, but don't allow inline styles. 5 This does allow scripts to *set* inline styles via the .style attribute. 6 --> 7 <title>Setting style setters via script for an SVG element outside of the document should work</title> 8 <meta http-equiv="Content-Security-Policy" content=" 9 script-src 'unsafe-inline'; 10 style-src 'none'; 11 "> 12 <link rel="match" href="script-style-attribute-csp-ref.html"> 13 <link rel="author" title="Emilio Cobos Álvarez" href="mailto:emilio@crisal.io"> 14 <link rel="help" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1494356"> 15 <body> 16 <script> 17 const element = document.createElementNS('http://www.w3.org/2000/svg', 'svg'); 18 element.style.width = '100px'; 19 element.style.height = '100px'; 20 element.style.backgroundColor = 'green'; 21 document.body.appendChild(element); 22 </script>