blob: d5631e783390938107ed265e75f5a82036875364 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
/*
* Custom sjs file serving a test page using *two* CSP policies.
* See Bug 1036399 - Multiple CSP policies should be combined towards an intersection
*/
const TIGHT_POLICY = "default-src 'self'";
const LOOSE_POLICY = "default-src 'self' 'unsafe-inline'";
function handleRequest(request, response)
{
// avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
var csp = "";
// deliver *TWO* comma separated policies which is in fact the same as serving
// to separate CSP headers (AppendPolicy is called twice).
if (request.queryString == "tight") {
// script execution will be *blocked*
csp = TIGHT_POLICY + ", " + LOOSE_POLICY;
}
else {
// script execution will be *allowed*
csp = LOOSE_POLICY + ", " + LOOSE_POLICY;
}
response.setHeader("Content-Security-Policy", csp, false);
// Send HTML to test allowed/blocked behaviors
response.setHeader("Content-Type", "text/html", false);
// generate an html file that contains a div container which is updated
// in case the inline script is *not* blocked by CSP.
var html = "<!DOCTYPE HTML>" +
"<html>" +
"<head>" +
"<title>Testpage for Bug 1036399</title>" +
"</head>" +
"<body>" +
"<div id='testdiv'>blocked</div>" +
"<script type='text/javascript'>" +
"document.getElementById('testdiv').innerHTML = 'allowed';" +
"</script>" +
"</body>" +
"</html>";
response.write(html);
}
|