file_scheme_relative_sources.sjs (1319B)
1 /** 2 * Custom *.sjs specifically for the needs of 3 * Bug 921493 - CSP: test allowlisting of scheme-relative sources 4 */ 5 6 function handleRequest(request, response) { 7 let query = new URLSearchParams(request.queryString); 8 9 let scheme = query.get("scheme"); 10 let policy = query.get("policy"); 11 12 let linkUrl = 13 scheme + 14 "://example.com/tests/dom/security/test/csp/file_scheme_relative_sources.js"; 15 16 let html = 17 "<!DOCTYPE HTML>" + 18 "<html>" + 19 "<head>" + 20 "<title>test schemeless sources within CSP</title>" + 21 "</head>" + 22 "<body> " + 23 "<div id='testdiv'>blocked</div>" + 24 // try to load a scheme relative script 25 "<script src='" + 26 linkUrl + 27 "'></script>" + 28 // have an inline script that reports back to the parent whether 29 // the script got loaded or not from within the sandboxed iframe. 30 "<script type='application/javascript'>" + 31 "window.onload = function() {" + 32 "var inner = document.getElementById('testdiv').innerHTML;" + 33 "window.parent.postMessage({ result: inner }, '*');" + 34 "}" + 35 "</script>" + 36 "</body>" + 37 "</html>"; 38 39 response.setHeader("Cache-Control", "no-cache", false); 40 response.setHeader("Content-Type", "text/html", false); 41 response.setHeader("Content-Security-Policy", policy, false); 42 43 response.write(html); 44 }