summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/file_dual_header_testserver.sjs
blob: 0efe186d5799cbfef656716d3d30788c0e388760 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
/*
 * Custom sjs file serving a test page using *two* CSP policies.
 * See Bug 1036399 - Multiple CSP policies should be combined towards an intersection
 */

const TIGHT_POLICY = "default-src 'self'";
const LOOSE_POLICY = "default-src 'self' 'unsafe-inline'";

function handleRequest(request, response) {
  // avoid confusing cache behaviors
  response.setHeader("Cache-Control", "no-cache", false);

  var csp = "";
  // deliver *TWO* comma separated policies which is in fact the same as serving
  // to separate CSP headers (AppendPolicy is called twice).
  if (request.queryString == "tight") {
    // script execution will be *blocked*
    csp = TIGHT_POLICY + ", " + LOOSE_POLICY;
  } else {
    // script execution will be *allowed*
    csp = LOOSE_POLICY + ", " + LOOSE_POLICY;
  }
  response.setHeader("Content-Security-Policy", csp, false);

  // Send HTML to test allowed/blocked behaviors
  response.setHeader("Content-Type", "text/html", false);

  // generate an html file that contains a div container which is updated
  // in case the inline script is *not* blocked by CSP.
  var html =
    "<!DOCTYPE HTML>" +
    "<html>" +
    "<head>" +
    "<title>Testpage for Bug 1036399</title>" +
    "</head>" +
    "<body>" +
    "<div id='testdiv'>blocked</div>" +
    "<script type='text/javascript'>" +
    "document.getElementById('testdiv').innerHTML = 'allowed';" +
    "</script>" +
    "</body>" +
    "</html>";

  response.write(html);
}