csp-document-disallow-loader.h2.py (1598B)
1 import os 2 3 4 def handle_headers(frame, request, response): 5 # Send a 103 response. 6 resource_url = request.GET.first(b"resource-url").decode() 7 link_header_value = "<{}>; rel=preload; as=script".format(resource_url) 8 early_hints = [ 9 (b":status", b"103"), 10 (b"link", link_header_value), 11 ] 12 13 early_hints_policy = request.GET.first(b"early-hints-policy").decode() 14 # In this test handler "allowed" or "absent" are only valid policies because 15 # csp-document-disallow.html always sets CSP to disallow the preload. 16 # "disallowed" makes no observable changes in the test. Note that 17 # csp-basic.html covers disallowing preloads in Early Hints. 18 assert early_hints_policy == "allowed" or early_hints_policy == "absent" 19 20 if early_hints_policy == "allowed": 21 resource_origin = request.GET.first(b"resource-origin").decode() 22 csp_value = "script-src 'self' 'unsafe-inline' {}".format(resource_origin) 23 early_hints.append((b"content-security-policy", csp_value)) 24 25 response.writer.write_raw_header_frame(headers=early_hints, 26 end_headers=True) 27 28 # Send the final response header. 29 response.status = 200 30 response.headers["content-type"] = "text/html" 31 response.write_status_headers() 32 33 34 def main(request, response): 35 current_dir = os.path.dirname(os.path.realpath(__file__)) 36 file_path = os.path.join(current_dir, "csp-document-disallow.html") 37 with open(file_path, "r") as f: 38 test_content = f.read() 39 response.writer.write_data(item=test_content, last=True)