tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

file_block_all_mcb.sjs (2435B)

      1 // custom *.sjs for Bug 1122236
      2 // CSP: 'block-all-mixed-content'
      3 
      4 const HEAD =
      5   "<!DOCTYPE HTML>" +
      6   '<html><head><meta charset="utf-8">' +
      7   "<title>Bug 1122236 - CSP: Implement block-all-mixed-content</title>" +
      8   "</head>";
      9 
     10 const CSP_ALLOW =
     11   '<meta http-equiv="Content-Security-Policy" content="img-src *">';
     12 
     13 const CSP_BLOCK =
     14   '<meta http-equiv="Content-Security-Policy" content="block-all-mixed-content">';
     15 
     16 const BODY =
     17   "<body>" +
     18   '<img id="testimage" src="http://mochi.test:8888/tests/image/test/mochitest/blue.png"></img>' +
     19   '<script type="application/javascript">' +
     20   '  var myImg = document.getElementById("testimage");' +
     21   "  myImg.onload = function(e) {" +
     22   '    window.parent.postMessage({result: "img-loaded"}, "*");' +
     23   "  };" +
     24   "  myImg.onerror = function(e) {" +
     25   '    window.parent.postMessage({result: "img-blocked"}, "*");' +
     26   "  };" +
     27   "</script>" +
     28   "</body>" +
     29   "</html>";
     30 
     31 // We have to use this special code fragment, in particular '?nocache' to trigger an
     32 // actual network load rather than loading the image from the cache.
     33 const BODY_CSPRO =
     34   "<body>" +
     35   '<img id="testimage" src="http://mochi.test:8888/tests/image/test/mochitest/blue.png?nocache"></img>' +
     36   '<script type="application/javascript">' +
     37   '  var myImg = document.getElementById("testimage");' +
     38   "  myImg.onload = function(e) {" +
     39   '    window.parent.postMessage({result: "img-loaded"}, "*");' +
     40   "  };" +
     41   "  myImg.onerror = function(e) {" +
     42   '    window.parent.postMessage({result: "img-blocked"}, "*");' +
     43   "  };" +
     44   "</script>" +
     45   "</body>" +
     46   "</html>";
     47 
     48 function handleRequest(request, response) {
     49   // avoid confusing cache behaviors
     50   response.setHeader("Cache-Control", "no-cache", false);
     51 
     52   var queryString = request.queryString;
     53 
     54   if (queryString === "csp-block") {
     55     response.write(HEAD + CSP_BLOCK + BODY);
     56     return;
     57   }
     58   if (queryString === "csp-allow") {
     59     response.write(HEAD + CSP_ALLOW + BODY);
     60     return;
     61   }
     62   if (queryString === "no-csp") {
     63     response.write(HEAD + BODY);
     64     return;
     65   }
     66   if (queryString === "cspro-block") {
     67     // CSP RO is not supported in meta tag, let's use the header
     68     response.setHeader(
     69       "Content-Security-Policy-Report-Only",
     70       "block-all-mixed-content",
     71       false
     72     );
     73     response.write(HEAD + BODY_CSPRO);
     74     return;
     75   }
     76   // we should never get here but just in case return something unexpected
     77   response.write("do'h");
     78 }