// SJS file to serve resources for CSP redirect tests // This file mimics serving resources, e.g. fonts, images, etc., which a CSP // can include. The resource may redirect to a different resource, if specified. function handleRequest(request, response) { var query = {}; request.queryString.split('&').forEach(function (val) { var [name, value] = val.split('='); query[name] = unescape(value); }); var thisSite = "http://mochi.test:8888"; var otherSite = "http://example.com"; var resource = "/tests/dom/security/test/csp/file_redirects_resource.sjs"; response.setHeader("Cache-Control", "no-cache", false); // redirect to a resource on this site if (query["redir"] == "same") { var loc = thisSite+resource+"?res="+query["res"]+"&testid="+query["id"]; response.setStatusLine("1.1", 302, "Found"); response.setHeader("Location", loc, false); return; } // redirect to a resource on a different site else if (query["redir"] == "other") { var loc = otherSite+resource+"?res="+query["res"]+"&testid="+query["id"]; response.setStatusLine("1.1", 302, "Found"); response.setHeader("Location", loc, false); return; } // not a redirect. serve some content. // the content doesn't have to be valid, since we're only checking whether // the request for the content was sent or not. // downloadable font if (query["res"] == "font") { response.setHeader("Access-Control-Allow-Origin", "*", false); response.setHeader("Content-Type", "text/plain", false); response.write("font data..."); return; } // iframe with arbitrary content if (query["res"] == "iframe") { response.setHeader("Content-Type", "text/html", false); response.write("iframe content..."); return; } // image if (query["res"] == "image") { response.setHeader("Content-Type", "image/gif", false); response.write("image data..."); return; } // media content, e.g. Ogg video if (query["res"] == "media") { response.setHeader("Content-Type", "video/ogg", false); response.write("video data..."); return; } // plugin content, e.g. if (query["res"] == "object") { response.setHeader("Content-Type", "text/html", false); response.write("object data..."); return; } // script if (query["res"] == "script") { response.setHeader("Content-Type", "application/javascript", false); response.write("some script..."); return; } // external stylesheet if (query["res"] == "style") { response.setHeader("Content-Type", "text/css", false); response.write("css data..."); return; } // internal stylesheet that loads an image from an external site if (query["res"] == "cssLoader") { let bgURL = thisSite + resource + '?redir=other&res=image&id=' + query["id"]; response.setHeader("Content-Type", "text/css", false); response.write("body { background:url('" + bgURL + "'); }"); return; } // script that loads an internal worker that uses importScripts on a redirect // to an external script. if (query["res"] == "loadWorkerThatMakesRequests") { // this creates a worker (same origin) that imports a redirecting script. let workerURL = thisSite + resource + '?res=makeRequestsWorker&id=' + query["id"]; response.setHeader("Content-Type", "application/javascript", false); response.write("new Worker('" + workerURL + "');"); return; } // script that loads an internal worker that uses importScripts on a redirect // to an external script. if (query["res"] == "loadBlobWorkerThatMakesRequests") { // this creates a worker (same origin) that imports a redirecting script. let workerURL = thisSite + resource + '?res=makeRequestsWorker&id=' + query["id"]; response.setHeader("Content-Type", "application/javascript", false); response.write("var x = new XMLHttpRequest(); x.open('GET', '" + workerURL + "'); "); response.write("x.responseType = 'blob'; x.send(); "); response.write("x.onload = () => { new Worker(URL.createObjectURL(x.response)); };"); return; } // source for a worker that simply calls importScripts on a script that // redirects. if (query["res"] == "makeRequestsWorker") { // this is code for a worker that imports a redirected script. let scriptURL = thisSite + resource + "?redir=other&res=script&id=script-src-redir-" + query["id"]; let xhrURL = thisSite + resource + "?redir=other&res=xhr-resp&id=xhr-src-redir-" + query["id"]; let fetchURL = thisSite + resource + "?redir=other&res=xhr-resp&id=fetch-src-redir-" + query["id"]; response.setHeader("Content-Type", "application/javascript", false); response.write("try { importScripts('" + scriptURL + "'); } catch(ex) {} "); response.write("var x = new XMLHttpRequest(); x.open('GET', '" + xhrURL + "'); x.send();"); response.write("fetch('" + fetchURL + "');"); return; } // script that invokes XHR if (query["res"] == "xhr") { response.setHeader("Content-Type", "application/javascript", false); var resp = 'var x = new XMLHttpRequest();x.open("GET", "' + thisSite + resource+'?redir=other&res=xhr-resp&id=xhr-src-redir", false);\n' + 'x.send(null);'; response.write(resp); return; } // response to XHR if (query["res"] == "xhr-resp") { response.setHeader("Access-Control-Allow-Origin", "*", false); response.setHeader("Content-Type", "text/html", false); response.write('XHR response...'); return; } }