<!DOCTYPE html> | |
<html> | |
<head> | |
<meta http-equiv="Content-Security-Policy" content="script-src 'unsafe-inline'"> | |
</head> | |
<body> | |
<script> | |
const blob_payload = ` | |
<!doctype html> | |
<script> | |
var i = false; | |
try { | |
eval('i = true'); | |
} catch {} | |
opener.postMessage(i ? "eval allowed" : "eval blocked", '*'); | |
</scr` + `ipt> | |
`; | |
var blob_url = URL.createObjectURL( | |
new Blob([blob_payload], { type: 'text/html' })); | |
parent.location = blob_url; | |
</script> | |
</body> | |
</html> |