summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/file_meta_header_dual.sjs
blob: 445b3e444ebeb3f9e0e6d3d055657d161e92e5ae (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
// Custom *.sjs file specifically for the needs of Bug:
// Bug 663570 - Implement Content Security Policy via meta tag

const HTML_HEAD =
  "<!DOCTYPE HTML>" +
  "<html>" +
  "<head>" +
  "<meta charset='utf-8'>" +
  "<title>Bug 663570 - Implement Content Security Policy via <meta> tag</title>";

const HTML_BODY =
  "</head>" +
  "<body>" +
  "<img id='testimage' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png'></img>" +
  "<script type='application/javascript'>" +
  "  var myImg = document.getElementById('testimage');" +
  "  myImg.onload = function(e) {" +
  "    window.parent.postMessage({result: 'img-loaded'}, '*');" +
  "  };" +
  "  myImg.onerror = function(e) { " +
  "    window.parent.postMessage({result: 'img-blocked'}, '*');" +
  "  };" +
  "</script>" +
  "</body>" +
  "</html>";

const META_CSP_BLOCK_IMG =
  '<meta http-equiv="Content-Security-Policy" content="img-src \'none\'">';

const META_CSP_ALLOW_IMG =
  '<meta http-equiv="Content-Security-Policy" content="img-src http://mochi.test:8888;">';

const HEADER_CSP_BLOCK_IMG = "img-src 'none';";

const HEADER_CSP_ALLOW_IMG = "img-src http://mochi.test:8888";

function handleRequest(request, response) {
  // avoid confusing cache behaviors
  response.setHeader("Cache-Control", "no-cache", false);
  response.setHeader("Content-Type", "text/html", false);
  var queryString = request.queryString;

  if (queryString === "test1") {
    /* load image without any CSP */
    response.write(HTML_HEAD + HTML_BODY);
    return;
  }

  if (queryString === "test2") {
    /* load image where meta denies load */
    response.write(HTML_HEAD + META_CSP_BLOCK_IMG + HTML_BODY);
    return;
  }

  if (queryString === "test3") {
    /* load image where meta allows load */
    response.write(HTML_HEAD + META_CSP_ALLOW_IMG + HTML_BODY);
    return;
  }

  if (queryString === "test4") {
    /* load image where meta allows but header blocks */
    response.setHeader("Content-Security-Policy", HEADER_CSP_BLOCK_IMG, false);
    response.write(HTML_HEAD + META_CSP_ALLOW_IMG + HTML_BODY);
    return;
  }

  if (queryString === "test5") {
    /* load image where meta blocks but header allows */
    response.setHeader("Content-Security-Policy", HEADER_CSP_ALLOW_IMG, false);
    response.write(HTML_HEAD + META_CSP_BLOCK_IMG + HTML_BODY);
    return;
  }

  if (queryString === "test6") {
    /* load image where meta allows and header allows */
    response.setHeader("Content-Security-Policy", HEADER_CSP_ALLOW_IMG, false);
    response.write(HTML_HEAD + META_CSP_ALLOW_IMG + HTML_BODY);
    return;
  }

  if (queryString === "test7") {
    /* load image where meta1 allows but meta2 blocks */
    response.write(
      HTML_HEAD + META_CSP_ALLOW_IMG + META_CSP_BLOCK_IMG + HTML_BODY
    );
    return;
  }

  if (queryString === "test8") {
    /* load image where meta1 allows and meta2 allows */
    response.write(
      HTML_HEAD + META_CSP_ALLOW_IMG + META_CSP_ALLOW_IMG + HTML_BODY
    );
    return;
  }

  // we should never get here, but just in case, return
  // something unexpected
  response.write("do'h");
}