CONSOLE MESSAGE: Injecting in main world: this should fail.
CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-9mofj90uV/hjdJ1EZ8ch4jBC+3bw4vt8GBxoMUosVmo='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
CONSOLE MESSAGE: PASS: Style assignment in test 6 was blocked by CSP.
CONSOLE MESSAGE: Injecting into isolated world without bypass: this should fail.
CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-RMFtATOlfMpeC8MJSEmpniQZnGMRT24P+KNCE5zJg08='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
CONSOLE MESSAGE: PASS: Style assignment in test 5 was blocked by CSP.
CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZBTj5RHLnrF+IxdRZM2RuLfjTJQXNSi7fLQHr09onfY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
CONSOLE MESSAGE: PASS: Style attribute assignment in test 5 was blocked by CSP.
CONSOLE MESSAGE: Have a separate CSP for the isolated world. Allow unsafe-inline. This should pass.
CONSOLE MESSAGE: PASS: Style assignment in test 4 was not blocked by CSP.
CONSOLE MESSAGE: PASS: Style attribute assignment in test 4 was not blocked by CSP.
CONSOLE MESSAGE: Have a separate CSP for the isolated world. Use an empty CSP. This should pass.
CONSOLE MESSAGE: PASS: Style assignment in test 3 was not blocked by CSP.
CONSOLE MESSAGE: PASS: Style attribute assignment in test 3 was not blocked by CSP.
CONSOLE MESSAGE: Have a separate CSP for the isolated world. Disallow unsafe-inline.
CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-0B38VDo0PSzEMTh/bG58xIoc1+UQzjQ8WF/8+v2xP9w='), or a nonce ('nonce-...') is required to enable inline execution.
CONSOLE MESSAGE: PASS: Style assignment in test 2 was blocked by CSP.
CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-ZBTj5RHLnrF+IxdRZM2RuLfjTJQXNSi7fLQHr09onfY='), or a nonce ('nonce-...') is required to enable inline execution. Note that hashes do not apply to event handlers, style attributes and javascript: navigations unless the 'unsafe-hashes' keyword is present.
CONSOLE MESSAGE: PASS: Style attribute assignment in test 2 was blocked by CSP.
CONSOLE MESSAGE: Injecting into main world again: this should fail.
CONSOLE ERROR: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'none'". Either the 'unsafe-inline' keyword, a hash ('sha256-bUBNmssmL79UBWplbQJyN9Hi2tRE9H345W5DVyjdUq4='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
CONSOLE MESSAGE: PASS: Style assignment in test 1 was blocked by CSP.
This tests the behavior of inline CSS in isolated worlds and its interaction with the page and isolated world CSP.
Codebase Browser
chromium