1 files changed, 45 insertions, 0 deletions

diff --git a/dom/security/test/csp/file_dual_header_testserver.sjs b/dom/security/test/csp/file_dual_header_testserver.sjs
new file mode 100644
index 0000000000..0efe186d57
--- /dev/null
+++ b/dom/security/test/csp/file_dual_header_testserver.sjs
@@ -0,0 +1,45 @@
+/*
+ * Custom sjs file serving a test page using *two* CSP policies.
+ * See Bug 1036399 - Multiple CSP policies should be combined towards an intersection
+ */
+
+const TIGHT_POLICY = "default-src 'self'";
+const LOOSE_POLICY = "default-src 'self' 'unsafe-inline'";
+
+function handleRequest(request, response) {
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  var csp = "";
+  // deliver *TWO* comma separated policies which is in fact the same as serving
+  // to separate CSP headers (AppendPolicy is called twice).
+  if (request.queryString == "tight") {
+    // script execution will be *blocked*
+    csp = TIGHT_POLICY + ", " + LOOSE_POLICY;
+  } else {
+    // script execution will be *allowed*
+    csp = LOOSE_POLICY + ", " + LOOSE_POLICY;
+  }
+  response.setHeader("Content-Security-Policy", csp, false);
+
+  // Send HTML to test allowed/blocked behaviors
+  response.setHeader("Content-Type", "text/html", false);
+
+  // generate an html file that contains a div container which is updated
+  // in case the inline script is *not* blocked by CSP.
+  var html =
+    "<!DOCTYPE HTML>" +
+    "<html>" +
+    "<head>" +
+    "<title>Testpage for Bug 1036399</title>" +
+    "</head>" +
+    "<body>" +
+    "<div id='testdiv'>blocked</div>" +
+    "<script type='text/javascript'>" +
+    "document.getElementById('testdiv').innerHTML = 'allowed';" +
+    "</script>" +
+    "</body>" +
+    "</html>";
+
+  response.write(html);
+}