file_base_uri_server.sjs (1599B)
1 // Custom *.sjs file specifically for the needs of 2 // https://bugzilla.mozilla.org/show_bug.cgi?id=1263286 3 4 "use strict"; 5 6 const PRE_BASE = ` 7 <!DOCTYPE HTML> 8 <html> 9 <head> 10 <title>Bug 1045897 - Test CSP base-uri directive</title>`; 11 12 const REGULAR_POST_BASE = ` 13 </head> 14 <body onload='window.parent.postMessage({result: document.baseURI}, "*");'> 15 <!-- just making use of the 'base' tag for this test --> 16 </body> 17 </html>`; 18 19 const SCRIPT_POST_BASE = ` 20 </head> 21 <body> 22 <script> 23 document.getElementById("base1").removeAttribute("href"); 24 window.parent.postMessage({result: document.baseURI}, "*"); 25 </script> 26 </body> 27 </html>`; 28 29 function handleRequest(request, response) { 30 const query = new URLSearchParams(request.queryString); 31 32 // avoid confusing cache behaviors 33 response.setHeader("Cache-Control", "no-cache", false); 34 35 // Deliver the CSP policy encoded in the URL 36 response.setHeader("Content-Security-Policy", query.get("csp"), false); 37 38 // Send HTML to test allowed/blocked behaviors 39 response.setHeader("Content-Type", "text/html", false); 40 response.write(PRE_BASE); 41 var base1 = '<base id="base1" href="' + query.get("base1") + '">'; 42 var base2 = '<base id="base2" href="' + query.get("base2") + '">'; 43 response.write(base1 + base2); 44 45 if (query.get("action") === "enforce-csp") { 46 response.write(REGULAR_POST_BASE); 47 return; 48 } 49 50 if (query.get("action") === "remove-base1") { 51 response.write(SCRIPT_POST_BASE); 52 return; 53 } 54 55 // we should never get here, but just in case 56 // return something unexpected 57 response.write("do'h"); 58 }