summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/file_redirects_resource.sjs
diff options
context:
space:
mode:
Diffstat (limited to 'dom/security/test/csp/file_redirects_resource.sjs')
-rw-r--r--dom/security/test/csp/file_redirects_resource.sjs171
1 files changed, 171 insertions, 0 deletions
diff --git a/dom/security/test/csp/file_redirects_resource.sjs b/dom/security/test/csp/file_redirects_resource.sjs
new file mode 100644
index 0000000000..df0b8101d8
--- /dev/null
+++ b/dom/security/test/csp/file_redirects_resource.sjs
@@ -0,0 +1,171 @@
+// SJS file to serve resources for CSP redirect tests
+// This file mimics serving resources, e.g. fonts, images, etc., which a CSP
+// can include. The resource may redirect to a different resource, if specified.
+function handleRequest(request, response) {
+ var query = {};
+ request.queryString.split("&").forEach(function (val) {
+ var [name, value] = val.split("=");
+ query[name] = unescape(value);
+ });
+
+ var thisSite = "http://mochi.test:8888";
+ var otherSite = "http://example.com";
+ var resource = "/tests/dom/security/test/csp/file_redirects_resource.sjs";
+
+ response.setHeader("Cache-Control", "no-cache", false);
+
+ // redirect to a resource on this site
+ if (query.redir == "same") {
+ var loc = thisSite + resource + "?res=" + query.res + "&testid=" + query.id;
+ response.setStatusLine("1.1", 302, "Found");
+ response.setHeader("Location", loc, false);
+ return;
+ }
+
+ // redirect to a resource on a different site
+ else if (query.redir == "other") {
+ var loc =
+ otherSite + resource + "?res=" + query.res + "&testid=" + query.id;
+ response.setStatusLine("1.1", 302, "Found");
+ response.setHeader("Location", loc, false);
+ return;
+ }
+
+ // not a redirect. serve some content.
+ // the content doesn't have to be valid, since we're only checking whether
+ // the request for the content was sent or not.
+
+ // downloadable font
+ if (query.res == "font") {
+ response.setHeader("Access-Control-Allow-Origin", "*", false);
+ response.setHeader("Content-Type", "text/plain", false);
+ response.write("font data...");
+ return;
+ }
+
+ // iframe with arbitrary content
+ if (query.res == "iframe") {
+ response.setHeader("Content-Type", "text/html", false);
+ response.write("iframe content...");
+ return;
+ }
+
+ // image
+ if (query.res == "image") {
+ response.setHeader("Content-Type", "image/gif", false);
+ response.write("image data...");
+ return;
+ }
+
+ // media content, e.g. Ogg video
+ if (query.res == "media") {
+ response.setHeader("Content-Type", "video/ogg", false);
+ response.write("video data...");
+ return;
+ }
+
+ // plugin content, e.g. <object>
+ if (query.res == "object") {
+ response.setHeader("Content-Type", "text/html", false);
+ response.write("object data...");
+ return;
+ }
+
+ // script
+ if (query.res == "script") {
+ response.setHeader("Content-Type", "application/javascript", false);
+ response.write("some script...");
+ return;
+ }
+
+ // external stylesheet
+ if (query.res == "style") {
+ response.setHeader("Content-Type", "text/css", false);
+ response.write("css data...");
+ return;
+ }
+
+ // internal stylesheet that loads an image from an external site
+ if (query.res == "cssLoader") {
+ let bgURL = thisSite + resource + "?redir=other&res=image&id=" + query.id;
+ response.setHeader("Content-Type", "text/css", false);
+ response.write("body { background:url('" + bgURL + "'); }");
+ return;
+ }
+
+ // script that loads an internal worker that uses importScripts on a redirect
+ // to an external script.
+ if (query.res == "loadWorkerThatMakesRequests") {
+ // this creates a worker (same origin) that imports a redirecting script.
+ let workerURL =
+ thisSite + resource + "?res=makeRequestsWorker&id=" + query.id;
+ response.setHeader("Content-Type", "application/javascript", false);
+ response.write("new Worker('" + workerURL + "');");
+ return;
+ }
+
+ // script that loads an internal worker that uses importScripts on a redirect
+ // to an external script.
+ if (query.res == "loadBlobWorkerThatMakesRequests") {
+ // this creates a worker (same origin) that imports a redirecting script.
+ let workerURL =
+ thisSite + resource + "?res=makeRequestsWorker&id=" + query.id;
+ response.setHeader("Content-Type", "application/javascript", false);
+ response.write(
+ "var x = new XMLHttpRequest(); x.open('GET', '" + workerURL + "'); "
+ );
+ response.write("x.responseType = 'blob'; x.send(); ");
+ response.write(
+ "x.onload = () => { new Worker(URL.createObjectURL(x.response)); };"
+ );
+ return;
+ }
+
+ // source for a worker that simply calls importScripts on a script that
+ // redirects.
+ if (query.res == "makeRequestsWorker") {
+ // this is code for a worker that imports a redirected script.
+ let scriptURL =
+ thisSite +
+ resource +
+ "?redir=other&res=script&id=script-src-redir-" +
+ query.id;
+ let xhrURL =
+ thisSite +
+ resource +
+ "?redir=other&res=xhr-resp&id=xhr-src-redir-" +
+ query.id;
+ let fetchURL =
+ thisSite +
+ resource +
+ "?redir=other&res=xhr-resp&id=fetch-src-redir-" +
+ query.id;
+ response.setHeader("Content-Type", "application/javascript", false);
+ response.write("try { importScripts('" + scriptURL + "'); } catch(ex) {} ");
+ response.write(
+ "var x = new XMLHttpRequest(); x.open('GET', '" + xhrURL + "'); x.send();"
+ );
+ response.write("fetch('" + fetchURL + "');");
+ return;
+ }
+
+ // script that invokes XHR
+ if (query.res == "xhr") {
+ response.setHeader("Content-Type", "application/javascript", false);
+ var resp =
+ 'var x = new XMLHttpRequest();x.open("GET", "' +
+ thisSite +
+ resource +
+ '?redir=other&res=xhr-resp&id=xhr-src-redir", false);\n' +
+ "x.send(null);";
+ response.write(resp);
+ return;
+ }
+
+ // response to XHR
+ if (query.res == "xhr-resp") {
+ response.setHeader("Access-Control-Allow-Origin", "*", false);
+ response.setHeader("Content-Type", "text/html", false);
+ response.write("XHR response...");
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-16 22:30:38 +0000