File: file_bug885433_allows.html

package info (click to toggle)

firefox-esr 128.14.0esr-1~deb12u1

links: PTS, VCS
area: main
in suites: bookworm
size: 4,230,248 kB
sloc: cpp: 7,104,262; javascript: 6,088,450; ansic: 3,654,017; python: 1,212,326; xml: 594,604; asm: 420,654; java: 182,969; sh: 71,124; makefile: 20,739; perl: 13,449; objc: 12,399; yacc: 4,583; cs: 3,846; pascal: 2,973; lex: 1,720; ruby: 1,194; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10

file content (39 lines) | stat: -rw-r--r-- 1,299 bytes

parent folder | download | duplicates (16)

<!doctype html>
<!--
The Content-Security-Policy header for this file is:

  Content-Security-Policy: img-src 'self';

It does not include any of the default-src, script-src, or style-src
directives. It should allow the use of unsafe-inline and unsafe-eval on
scripts, and unsafe-inline on styles, because no directives related to scripts
or styles are specified.
-->
<html>
<body>
  <ol>
    <li id="unsafe-inline-script-allowed">Inline script allowed (this text should be green)</li>
    <li id="unsafe-eval-script-allowed">Eval script allowed (this text should be green)</li>
    <li id="unsafe-inline-style-allowed">Inline style allowed (this text should be green)</li>
  </ol>

  <script>
    // Use inline script to set a style attribute
    document.getElementById("unsafe-inline-script-allowed").style.color = "green";

    // Use eval to set a style attribute
    // try/catch is used because CSP causes eval to throw an exception when it
    // is blocked, which would derail the rest of the tests  in this file.
    try {
      // eslint-disable-next-line no-eval
      eval('document.getElementById("unsafe-eval-script-allowed").style.color = "green";');
    } catch (e) {}
  </script>

  <style>
    li#unsafe-inline-style-allowed {
      color: green;
    }
  </style>
</body>
</html>