file_upgrade_insecure_docwrite_iframe.sjs (1566B)
1 // custom *.sjs for Bug 1273430 2 // META CSP: upgrade-insecure-requests 3 4 // important: the IFRAME_URL is *http* and needs to be upgraded to *https* by upgrade-insecure-requests 5 const IFRAME_URL = 6 "http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_docwrite_iframe.sjs?docwriteframe"; 7 8 const TEST_FRAME = 9 ` 10 <!DOCTYPE HTML> 11 <html><head><meta charset="utf-8"> 12 <title>TEST_FRAME</title> 13 <meta http-equiv="Content-Security-Policy" content="upgrade-insecure-requests"> 14 </head> 15 <body> 16 <script type="text/javascript"> 17 document.write('<iframe src="` + 18 IFRAME_URL + 19 `"/>'); 20 </script> 21 </body> 22 </html>`; 23 24 // doc.write(iframe) sends a post message to the parent indicating the current 25 // location so the parent can make sure the request was upgraded to *https*. 26 const DOC_WRITE_FRAME = ` 27 <!DOCTYPE HTML> 28 <html><head><meta charset="utf-8"> 29 <title>DOC_WRITE_FRAME</title> 30 </head> 31 <body onload="window.parent.parent.postMessage({result: document.location.href}, '*');"> 32 </body> 33 </html>`; 34 35 function handleRequest(request, response) { 36 // avoid confusing cache behaviors 37 response.setHeader("Cache-Control", "no-cache", false); 38 response.setHeader("Content-Type", "text/html", false); 39 40 var queryString = request.queryString; 41 42 if (queryString === "testframe") { 43 response.write(TEST_FRAME); 44 return; 45 } 46 47 if (queryString === "docwriteframe") { 48 response.write(DOC_WRITE_FRAME); 49 return; 50 } 51 52 // we should never get here, but just in case 53 // return something unexpected 54 response.write("do'h"); 55 }