file_dual_header_testserver.sjs (1459B)
1 /* 2 * Custom sjs file serving a test page using *two* CSP policies. 3 * See Bug 1036399 - Multiple CSP policies should be combined towards an intersection 4 */ 5 6 const TIGHT_POLICY = "default-src 'self'"; 7 const LOOSE_POLICY = "default-src 'self' 'unsafe-inline'"; 8 9 function handleRequest(request, response) { 10 // avoid confusing cache behaviors 11 response.setHeader("Cache-Control", "no-cache", false); 12 13 var csp = ""; 14 // deliver *TWO* comma separated policies which is in fact the same as serving 15 // to separate CSP headers (AppendPolicy is called twice). 16 if (request.queryString == "tight") { 17 // script execution will be *blocked* 18 csp = TIGHT_POLICY + ", " + LOOSE_POLICY; 19 } else { 20 // script execution will be *allowed* 21 csp = LOOSE_POLICY + ", " + LOOSE_POLICY; 22 } 23 response.setHeader("Content-Security-Policy", csp, false); 24 25 // Send HTML to test allowed/blocked behaviors 26 response.setHeader("Content-Type", "text/html", false); 27 28 // generate an html file that contains a div container which is updated 29 // in case the inline script is *not* blocked by CSP. 30 var html = 31 "<!DOCTYPE HTML>" + 32 "<html>" + 33 "<head>" + 34 "<title>Testpage for Bug 1036399</title>" + 35 "</head>" + 36 "<body>" + 37 "<div id='testdiv'>blocked</div>" + 38 "<script type='text/javascript'>" + 39 "document.getElementById('testdiv').innerHTML = 'allowed';" + 40 "</script>" + 41 "</body>" + 42 "</html>"; 43 44 response.write(html); 45 }