/* * Custom sjs file serving a test page using *two* CSP policies. * See Bug 1036399 - Multiple CSP policies should be combined towards an intersection */ const TIGHT_POLICY = "default-src 'self'"; const LOOSE_POLICY = "default-src 'self' 'unsafe-inline'"; function handleRequest(request, response) { // avoid confusing cache behaviors response.setHeader("Cache-Control", "no-cache", false); var csp = ""; // deliver *TWO* comma separated policies which is in fact the same as serving // to separate CSP headers (AppendPolicy is called twice). if (request.queryString == "tight") { // script execution will be *blocked* csp = TIGHT_POLICY + ", " + LOOSE_POLICY; } else { // script execution will be *allowed* csp = LOOSE_POLICY + ", " + LOOSE_POLICY; } response.setHeader("Content-Security-Policy", csp, false); // Send HTML to test allowed/blocked behaviors response.setHeader("Content-Type", "text/html", false); // generate an html file that contains a div container which is updated // in case the inline script is *not* blocked by CSP. var html = "" + "" + "" + "Testpage for Bug 1036399" + "" + "" + "
blocked
" + "" + "" + ""; response.write(html); }