mirror of
https://github.com/classilla/tenfourfox.git
synced 2024-11-20 10:33:36 +00:00
47 lines
1.5 KiB
JavaScript
47 lines
1.5 KiB
JavaScript
/*
|
|
* Custom sjs file serving a test page using *two* CSP policies.
|
|
* See Bug 1036399 - Multiple CSP policies should be combined towards an intersection
|
|
*/
|
|
|
|
const TIGHT_POLICY = "default-src 'self'";
|
|
const LOOSE_POLICY = "default-src 'self' 'unsafe-inline'";
|
|
|
|
function handleRequest(request, response)
|
|
{
|
|
// avoid confusing cache behaviors
|
|
response.setHeader("Cache-Control", "no-cache", false);
|
|
|
|
var csp = "";
|
|
// deliver *TWO* comma separated policies which is in fact the same as serving
|
|
// to separate CSP headers (AppendPolicy is called twice).
|
|
if (request.queryString == "tight") {
|
|
// script execution will be *blocked*
|
|
csp = TIGHT_POLICY + ", " + LOOSE_POLICY;
|
|
}
|
|
else {
|
|
// script execution will be *allowed*
|
|
csp = LOOSE_POLICY + ", " + LOOSE_POLICY;
|
|
}
|
|
response.setHeader("Content-Security-Policy", csp, false);
|
|
|
|
// Send HTML to test allowed/blocked behaviors
|
|
response.setHeader("Content-Type", "text/html", false);
|
|
|
|
// generate an html file that contains a div container which is updated
|
|
// in case the inline script is *not* blocked by CSP.
|
|
var html = "<!DOCTYPE HTML>" +
|
|
"<html>" +
|
|
"<head>" +
|
|
"<title>Testpage for Bug 1036399</title>" +
|
|
"</head>" +
|
|
"<body>" +
|
|
"<div id='testdiv'>blocked</div>" +
|
|
"<script type='text/javascript'>" +
|
|
"document.getElementById('testdiv').innerHTML = 'allowed';" +
|
|
"</script>" +
|
|
"</body>" +
|
|
"</html>";
|
|
|
|
response.write(html);
|
|
}
|