tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

file_meta_header_dual.sjs (3111B)

      1 // Custom *.sjs file specifically for the needs of Bug:
      2 // Bug 663570 - Implement Content Security Policy via meta tag
      3 
      4 const HTML_HEAD =
      5   "<!DOCTYPE HTML>" +
      6   "<html>" +
      7   "<head>" +
      8   "<meta charset='utf-8'>" +
      9   "<title>Bug 663570 - Implement Content Security Policy via <meta> tag</title>";
     10 
     11 const HTML_BODY =
     12   "</head>" +
     13   "<body>" +
     14   "<img id='testimage' src='http://mochi.test:8888/tests/image/test/mochitest/blue.png'></img>" +
     15   "<script type='application/javascript'>" +
     16   "  var myImg = document.getElementById('testimage');" +
     17   "  myImg.onload = function(e) {" +
     18   "    window.parent.postMessage({result: 'img-loaded'}, '*');" +
     19   "  };" +
     20   "  myImg.onerror = function(e) { " +
     21   "    window.parent.postMessage({result: 'img-blocked'}, '*');" +
     22   "  };" +
     23   "</script>" +
     24   "</body>" +
     25   "</html>";
     26 
     27 const META_CSP_BLOCK_IMG =
     28   '<meta http-equiv="Content-Security-Policy" content="img-src \'none\'">';
     29 
     30 const META_CSP_ALLOW_IMG =
     31   '<meta http-equiv="Content-Security-Policy" content="img-src http://mochi.test:8888;">';
     32 
     33 const HEADER_CSP_BLOCK_IMG = "img-src 'none';";
     34 
     35 const HEADER_CSP_ALLOW_IMG = "img-src http://mochi.test:8888";
     36 
     37 function handleRequest(request, response) {
     38   // avoid confusing cache behaviors
     39   response.setHeader("Cache-Control", "no-cache", false);
     40   response.setHeader("Content-Type", "text/html", false);
     41   var queryString = request.queryString;
     42 
     43   if (queryString === "test1") {
     44     /* load image without any CSP */
     45     response.write(HTML_HEAD + HTML_BODY);
     46     return;
     47   }
     48 
     49   if (queryString === "test2") {
     50     /* load image where meta denies load */
     51     response.write(HTML_HEAD + META_CSP_BLOCK_IMG + HTML_BODY);
     52     return;
     53   }
     54 
     55   if (queryString === "test3") {
     56     /* load image where meta allows load */
     57     response.write(HTML_HEAD + META_CSP_ALLOW_IMG + HTML_BODY);
     58     return;
     59   }
     60 
     61   if (queryString === "test4") {
     62     /* load image where meta allows but header blocks */
     63     response.setHeader("Content-Security-Policy", HEADER_CSP_BLOCK_IMG, false);
     64     response.write(HTML_HEAD + META_CSP_ALLOW_IMG + HTML_BODY);
     65     return;
     66   }
     67 
     68   if (queryString === "test5") {
     69     /* load image where meta blocks but header allows */
     70     response.setHeader("Content-Security-Policy", HEADER_CSP_ALLOW_IMG, false);
     71     response.write(HTML_HEAD + META_CSP_BLOCK_IMG + HTML_BODY);
     72     return;
     73   }
     74 
     75   if (queryString === "test6") {
     76     /* load image where meta allows and header allows */
     77     response.setHeader("Content-Security-Policy", HEADER_CSP_ALLOW_IMG, false);
     78     response.write(HTML_HEAD + META_CSP_ALLOW_IMG + HTML_BODY);
     79     return;
     80   }
     81 
     82   if (queryString === "test7") {
     83     /* load image where meta1 allows but meta2 blocks */
     84     response.write(
     85       HTML_HEAD + META_CSP_ALLOW_IMG + META_CSP_BLOCK_IMG + HTML_BODY
     86     );
     87     return;
     88   }
     89 
     90   if (queryString === "test8") {
     91     /* load image where meta1 allows and meta2 allows */
     92     response.write(
     93       HTML_HEAD + META_CSP_ALLOW_IMG + META_CSP_ALLOW_IMG + HTML_BODY
     94     );
     95     return;
     96   }
     97 
     98   // we should never get here, but just in case, return
     99   // something unexpected
    100   response.write("do'h");
    101 }