File: file_CSP_inlinescript_main.html

package info (click to toggle)
iceweasel 31.8.0esr-1~deb7u1
  • links: PTS, VCS
  • area: main
  • in suites: wheezy
  • size: 1,373,164 kB
  • sloc: cpp: 3,717,015; ansic: 1,797,386; python: 206,412; java: 180,622; asm: 133,557; xml: 89,501; sh: 72,014; perl: 22,087; makefile: 21,970; objc: 4,014; yacc: 1,995; pascal: 1,292; lex: 950; exp: 449; lisp: 228; awk: 211; php: 113; sed: 43; csh: 31; ada: 16; ruby: 3
file content (20 lines) | stat: -rw-r--r-- 820 bytes parent folder | download | duplicates (9) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
<!--
-- The original CSP implementation predates the CSP 1.0 spec and didn't
-- block inline styles, so when the prefixed X-Content-Security-Policy header is used,
-- as it is for this file, inline styles should be allowed.
-->
<html>
  <head>
    <title>CSP inline script tests</title>
  </head>
  <body onload="window.parent.scriptRan(false, 'eventattr', 'event attribute in body tag fired')">

    <script type="text/javascript">
      window.parent.scriptRan(false, "textnode", "text node in a script tag executed.");
    </script>

    <iframe src='javascript:window.parent.parent.scriptRan(false, "jsuri", "javascript: uri in image tag")'></iframe>

    <a id='anchortoclick' href='javascript:window.parent.scriptRan(false, "jsuri", "javascript: uri in anchor tag ran when clicked.");'>stuff</a>
  </body>
</html>