summaryrefslogtreecommitdiffstats
path: root/dom/security/test/csp/file_dual_header_testserver.sjs
blob: d5631e783390938107ed265e75f5a82036875364 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
/*
 * Custom sjs file serving a test page using *two* CSP policies.
 * See Bug 1036399 - Multiple CSP policies should be combined towards an intersection
 */

const TIGHT_POLICY = "default-src 'self'";
const LOOSE_POLICY = "default-src 'self' 'unsafe-inline'";

function handleRequest(request, response)
{
  // avoid confusing cache behaviors
  response.setHeader("Cache-Control", "no-cache", false);

  var csp = "";
  // deliver *TWO* comma separated policies which is in fact the same as serving
  // to separate CSP headers (AppendPolicy is called twice).
  if (request.queryString == "tight") {
    // script execution will be *blocked*
    csp = TIGHT_POLICY + ", " + LOOSE_POLICY;
  }
  else {
        // script execution will be *allowed*
    csp = LOOSE_POLICY + ", " + LOOSE_POLICY;
  }
  response.setHeader("Content-Security-Policy", csp, false);

  // Send HTML to test allowed/blocked behaviors
  response.setHeader("Content-Type", "text/html", false);

  // generate an html file that contains a div container which is updated
  // in case the inline script is *not* blocked by CSP.
  var html = "<!DOCTYPE HTML>" +
             "<html>" +
             "<head>" +
             "<title>Testpage for Bug 1036399</title>" +
             "</head>" +
             "<body>" +
             "<div id='testdiv'>blocked</div>" +
             "<script type='text/javascript'>" +
             "document.getElementById('testdiv').innerHTML = 'allowed';" +
             "</script>" +
             "</body>" +
             "</html>";

  response.write(html);
}