file_punycode_host_src.sjs (1533B)
1 // custom *.sjs for Bug 1224225 2 // Punycode in CSP host sources 3 4 const HTML_PART1 = 5 "<!DOCTYPE HTML>" + 6 '<html><head><meta charset="utf-8">' + 7 "<title>Bug 1224225 - CSP source matching should work for punycoded domain names</title>" + 8 "</head>" + 9 "<body>" + 10 "<script id='script' src='"; 11 12 // U+00E4 LATIN SMALL LETTER A WITH DIAERESIS, encoded as UTF-8 code units. 13 // response.write() writes out the provided string characters truncated to 14 // bytes, so "รค" literally would write a literal \xE4 byte, not the desired 15 // two-byte UTF-8 sequence. 16 const TESTCASE1 = "http://sub2.\xC3\xA4lt.example.org/"; 17 const TESTCASE2 = "http://sub2.xn--lt-uia.example.org/"; 18 19 const HTML_PART2 = 20 "tests/dom/security/test/csp/file_punycode_host_src.js'></script>" + 21 "</body>" + 22 "</html>"; 23 24 function handleRequest(request, response) { 25 // avoid confusing cache behaviors 26 response.setHeader("Cache-Control", "no-cache", false); 27 response.setHeader("Content-Type", "text/html", false); 28 29 const query = new URLSearchParams(request.queryString); 30 31 if (query.get("csp")) { 32 response.setHeader("Content-Security-Policy", query.get("csp"), false); 33 } 34 if (query.get("action") == "script-unicode-csp-punycode") { 35 response.write(HTML_PART1 + TESTCASE1 + HTML_PART2); 36 return; 37 } 38 if (query.get("action") == "script-punycode-csp-punycode") { 39 response.write(HTML_PART1 + TESTCASE2 + HTML_PART2); 40 return; 41 } 42 43 // we should never get here, but just in case 44 // return something unexpected 45 response.write("do'h"); 46 }