gecko/content/base/test/file_CSP_inlinescript_main.html

<!--
-- The original CSP implementation predates the CSP 1.0 spec and didn't
-- block inline styles, so when the prefixed X-Content-Security-Policy header is used,
-- as it is for this file, inline styles should be allowed.
-->
<html>
  <head>
    <title>CSP inline script tests</title>
  </head>
  <body onload="window.parent.scriptRan(false, 'eventattr', 'event attribute in body tag fired')">

    <script type="text/javascript">
      window.parent.scriptRan(false, "textnode", "text node in a script tag executed.");
    </script>

    <iframe src='javascript:window.parent.parent.scriptRan(false, "jsuri", "javascript: uri in image tag")'></iframe>

    <a id='anchortoclick' href='javascript:window.parent.scriptRan(false, "jsuri", "javascript: uri in anchor tag ran when clicked.");'>stuff</a>
  </body>
</html>
Bug 763879 - implement inline stylesheet blocking for CSP (r=dbaron) 2012-08-30 10:58:24 -07:00			`<!--`
			`-- The original CSP implementation predates the CSP 1.0 spec and didn't`
			`-- block inline styles, so when the prefixed X-Content-Security-Policy header is used,`
			`-- as it is for this file, inline styles should be allowed.`
			`-->`
Forgot tests for bug 515442 2010-02-23 14:28:18 -08:00			`<html>`
			`<head>`
			`<title>CSP inline script tests</title>`
			`</head>`
Bug 746978 - sync CSP directive parsing and directive names with w3c CSP 1.0 spec - Part 4 - unsafe-inline (r=sstamm) 2013-01-09 10:57:05 -08:00			`<body onload="window.parent.scriptRan(false, 'eventattr', 'event attribute in body tag fired')">`
Forgot tests for bug 515442 2010-02-23 14:28:18 -08:00
			`<script type="text/javascript">`
Bug 746978 - sync CSP directive parsing and directive names with w3c CSP 1.0 spec - Part 4 - unsafe-inline (r=sstamm) 2013-01-09 10:57:05 -08:00			`window.parent.scriptRan(false, "textnode", "text node in a script tag executed.");`
Forgot tests for bug 515442 2010-02-23 14:28:18 -08:00			`</script>`

Bug 746978 - sync CSP directive parsing and directive names with w3c CSP 1.0 spec - Part 4 - unsafe-inline (r=sstamm) 2013-01-09 10:57:05 -08:00			`<iframe src='javascript:window.parent.parent.scriptRan(false, "jsuri", "javascript: uri in image tag")'></iframe>`
Forgot tests for bug 515442 2010-02-23 14:28:18 -08:00
Bug 746978 - sync CSP directive parsing and directive names with w3c CSP 1.0 spec - Part 4 - unsafe-inline (r=sstamm) 2013-01-09 10:57:05 -08:00			`<a id='anchortoclick' href='javascript:window.parent.scriptRan(false, "jsuri", "javascript: uri in anchor tag ran when clicked.");'>stuff</a>`
Forgot tests for bug 515442 2010-02-23 14:28:18 -08:00			`</body>`
			`</html>`