summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/file_upgrade_insecure_server.sjs
blob: 05d027c07895eacdff0a464e056e303542019c94 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
// Custom *.sjs file specifically for the needs of Bug:
// Bug 1139297 - Implement CSP upgrade-insecure-requests directive

const TOTAL_EXPECTED_REQUESTS = 11;

const IFRAME_CONTENT =
  "<!DOCTYPE HTML>" +
  "<html>" +
  "<head><meta charset='utf-8'>" +
  "<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>" +
  "</head>" +
  "<body>" +
  "<img src='http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?nested-img'></img>" +
  "</body>" +
  "</html>";

const expectedQueries = [
  "script",
  "style",
  "img",
  "iframe",
  "form",
  "xhr",
  "media",
  "object",
  "font",
  "img-redir",
  "nested-img",
];

function handleRequest(request, response) {
  // avoid confusing cache behaviors
  response.setHeader("Cache-Control", "no-cache", false);
  var queryString = request.queryString;

  // initialize server variables and save the object state
  // of the initial request, which returns async once the
  // server has processed all requests.
  if (queryString == "queryresult") {
    setState("totaltests", TOTAL_EXPECTED_REQUESTS.toString());
    setState("receivedQueries", "");
    response.processAsync();
    setObjectState("queryResult", response);
    return;
  }

  // handle img redirect (https->http)
  if (queryString == "redirect-image") {
    var newLocation =
      "http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?img-redir";
    response.setStatusLine("1.1", 302, "Found");
    response.setHeader("Location", newLocation, false);
    return;
  }

  // just in case error handling for unexpected queries
  if (expectedQueries.indexOf(queryString) == -1) {
    response.write("doh!");
    return;
  }

  // make sure all the requested queries are indeed https
  queryString += request.scheme == "https" ? "-ok" : "-error";

  var receivedQueries = getState("receivedQueries");

  // images, scripts, etc. get queried twice, do not
  // confuse the server by storing the preload as
  // well as the actual load. If either the preload
  // or the actual load is not https, then we would
  // append "-error" in the array and the test would
  // fail at the end.
  if (receivedQueries.includes(queryString)) {
    return;
  }

  // append the result to the total query string array
  if (receivedQueries != "") {
    receivedQueries += ",";
  }
  receivedQueries += queryString;
  setState("receivedQueries", receivedQueries);

  // keep track of how many more requests the server
  // is expecting
  var totaltests = parseInt(getState("totaltests"));
  totaltests -= 1;
  setState("totaltests", totaltests.toString());

  // return content (img) for the nested iframe to test
  // that subresource requests within nested contexts
  // get upgraded as well. We also have to return
  // the iframe context in case of an error so we
  // can test both, using upgrade-insecure as well
  // as the base case of not using upgrade-insecure.
  if (queryString == "iframe-ok" || queryString == "iframe-error") {
    response.write(IFRAME_CONTENT);
  }

  // if we have received all the requests, we return
  // the result back.
  if (totaltests == 0) {
    getObjectState("queryResult", function (queryResponse) {
      if (!queryResponse) {
        return;
      }
      var receivedQueries = getState("receivedQueries");
      queryResponse.write(receivedQueries);
      queryResponse.finish();
    });
  }
}