// custom *.sjs for Bug 1277557 // META CSP: require-sri-for script; const PRE_INTEGRITY = "<!DOCTYPE HTML>" + "<html><head><meta charset=\"utf-8\">" + "<title>Bug 1277557 - CSP require-sri-for does not block when CSP is in meta tag</title>" + "<meta http-equiv=\"Content-Security-Policy\" content=\"require-sri-for script; script-src 'unsafe-inline' *\">" + "</head>" + "<body>" + "<script id=\"testscript\"" + // Using math.random() to avoid confusing cache behaviors within the test " src=\"http://mochi.test:8888/tests/dom/security/test/csp/file_require_sri_meta.js?" + Math.random() + "\""; const WRONG_INTEGRITY = " integrity=\"sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC\""; const CORRECT_INEGRITY = " integrity=\"sha384-PkcuZQHmjBQKRyv1v3x0X8qFmXiSyFyYIP+f9SU86XWvRneifdNCPg2cYFWBuKsF\""; const POST_INTEGRITY = " onload=\"window.parent.postMessage({result: 'script-loaded'}, '*');\"" + " onerror=\"window.parent.postMessage({result: 'script-blocked'}, '*');\"" + "></script>" + "</body>" + "</html>"; function handleRequest(request, response) { // avoid confusing cache behaviors response.setHeader("Cache-Control", "no-cache", false); response.setHeader("Content-Type", "text/html", false); var queryString = request.queryString; if (queryString === "no-sri") { response.write(PRE_INTEGRITY + POST_INTEGRITY); return; } if (queryString === "wrong-sri") { response.write(PRE_INTEGRITY + WRONG_INTEGRITY + POST_INTEGRITY); return; } if (queryString === "correct-sri") { response.write(PRE_INTEGRITY + CORRECT_INEGRITY + POST_INTEGRITY); return; } // we should never get here, but just in case // return something unexpected response.write("do'h"); }