file_upgrade_insecure_server.sjs (3408B)
1 // Custom *.sjs file specifically for the needs of Bug: 2 // Bug 1139297 - Implement CSP upgrade-insecure-requests directive 3 4 const TOTAL_EXPECTED_REQUESTS = 11; 5 6 const IFRAME_CONTENT = 7 "<!DOCTYPE HTML>" + 8 "<html>" + 9 "<head><meta charset='utf-8'>" + 10 "<title>Bug 1139297 - Implement CSP upgrade-insecure-requests directive</title>" + 11 "</head>" + 12 "<body>" + 13 "<img src='http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?nested-img'></img>" + 14 "</body>" + 15 "</html>"; 16 17 const expectedQueries = [ 18 "script", 19 "style", 20 "img", 21 "iframe", 22 "form", 23 "xhr", 24 "media", 25 "object", 26 "font", 27 "img-redir", 28 "nested-img", 29 ]; 30 31 function handleRequest(request, response) { 32 // avoid confusing cache behaviors 33 response.setHeader("Cache-Control", "no-cache", false); 34 var queryString = request.queryString; 35 36 // initialize server variables and save the object state 37 // of the initial request, which returns async once the 38 // server has processed all requests. 39 if (queryString == "queryresult") { 40 setState("totaltests", TOTAL_EXPECTED_REQUESTS.toString()); 41 setState("receivedQueries", ""); 42 response.processAsync(); 43 setObjectState("queryResult", response); 44 return; 45 } 46 47 // handle img redirect (https->http) 48 if (queryString == "redirect-image") { 49 var newLocation = 50 "http://example.com/tests/dom/security/test/csp/file_upgrade_insecure_server.sjs?img-redir"; 51 response.setStatusLine("1.1", 302, "Found"); 52 response.setHeader("Location", newLocation, false); 53 return; 54 } 55 56 // just in case error handling for unexpected queries 57 if (expectedQueries.indexOf(queryString) == -1) { 58 response.write("doh!"); 59 return; 60 } 61 62 // make sure all the requested queries are indeed https 63 queryString += request.scheme == "https" ? "-ok" : "-error"; 64 65 var receivedQueries = getState("receivedQueries"); 66 67 // images, scripts, etc. get queried twice, do not 68 // confuse the server by storing the preload as 69 // well as the actual load. If either the preload 70 // or the actual load is not https, then we would 71 // append "-error" in the array and the test would 72 // fail at the end. 73 if (receivedQueries.includes(queryString)) { 74 return; 75 } 76 77 // append the result to the total query string array 78 if (receivedQueries != "") { 79 receivedQueries += ","; 80 } 81 receivedQueries += queryString; 82 setState("receivedQueries", receivedQueries); 83 84 // keep track of how many more requests the server 85 // is expecting 86 var totaltests = parseInt(getState("totaltests")); 87 totaltests -= 1; 88 setState("totaltests", totaltests.toString()); 89 90 // return content (img) for the nested iframe to test 91 // that subresource requests within nested contexts 92 // get upgraded as well. We also have to return 93 // the iframe context in case of an error so we 94 // can test both, using upgrade-insecure as well 95 // as the base case of not using upgrade-insecure. 96 if (queryString == "iframe-ok" || queryString == "iframe-error") { 97 response.write(IFRAME_CONTENT); 98 } 99 100 // if we have received all the requests, we return 101 // the result back. 102 if (totaltests == 0) { 103 getObjectState("queryResult", function (queryResponse) { 104 if (!queryResponse) { 105 return; 106 } 107 var receivedQueries = getState("receivedQueries"); 108 queryResponse.write(receivedQueries); 109 queryResponse.finish(); 110 }); 111 } 112 }