1 files changed, 61 insertions, 0 deletions

diff --git a/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs b/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs
new file mode 100644
index 0000000000..83957560c3
--- /dev/null
+++ b/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs
@@ -0,0 +1,61 @@
+// Custom *.sjs file specifically for the needs of Bug:
+// Bug 1139297 - Implement CSP upgrade-insecure-requests directive
+
+function handleRequest(request, response) {
+  // avoid confusing cache behaviors
+  response.setHeader("Cache-Control", "no-cache", false);
+
+  // perform sanity check and make sure that all requests get upgraded to use https
+  if (request.scheme !== "https") {
+    response.write("request not https");
+    return;
+  }
+
+  var queryString = request.queryString;
+
+  // TEST 1
+  if (queryString === "test1") {
+    var newLocation =
+      "http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?redir-test1";
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", newLocation, false);
+    return;
+  }
+  if (queryString === "redir-test1") {
+    response.write("test1-no-cors-ok");
+    return;
+  }
+
+  // TEST 2
+  if (queryString === "test2") {
+    var newLocation =
+      "http://test1.example.com:443/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?redir-test2";
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", newLocation, false);
+    return;
+  }
+  if (queryString === "redir-test2") {
+    response.write("test2-no-cors-diffport-ok");
+    return;
+  }
+
+  // TEST 3
+  response.setHeader("Access-Control-Allow-Headers", "content-type", false);
+  response.setHeader("Access-Control-Allow-Methods", "POST, GET", false);
+  response.setHeader("Access-Control-Allow-Origin", "*", false);
+
+  if (queryString === "test3") {
+    var newLocation =
+      "http://test1.example.com/tests/dom/security/test/csp/file_upgrade_insecure_cors_server.sjs?redir-test3";
+    response.setStatusLine("1.1", 302, "Found");
+    response.setHeader("Location", newLocation, false);
+    return;
+  }
+  if (queryString === "redir-test3") {
+    response.write("test3-cors-ok");
+    return;
+  }
+
+  // we should not get here, but just in case return something unexpected
+  response.write("d'oh");
+}