/*
* Custom sjs file serving a test page using *two* CSP policies.
* See Bug 1036399 - Multiple CSP policies should be combined towards an intersection
*/
const TIGHT_POLICY = "default-src 'self'";
const LOOSE_POLICY = "default-src 'self' 'unsafe-inline'";
function handleRequest(request, response) {
// avoid confusing cache behaviors
response.setHeader("Cache-Control", "no-cache", false);
var csp = "";
// deliver *TWO* comma separated policies which is in fact the same as serving
// to separate CSP headers (AppendPolicy is called twice).
if (request.queryString == "tight") {
// script execution will be *blocked*
csp = TIGHT_POLICY + ", " + LOOSE_POLICY;
} else {
// script execution will be *allowed*
csp = LOOSE_POLICY + ", " + LOOSE_POLICY;
}
response.setHeader("Content-Security-Policy", csp, false);
// Send HTML to test allowed/blocked behaviors
response.setHeader("Content-Type", "text/html", false);
// generate an html file that contains a div container which is updated
// in case the inline script is *not* blocked by CSP.
var html =
"<!DOCTYPE HTML>" +
"<html>" +
"<head>" +
"<title>Testpage for Bug 1036399</title>" +
"</head>" +
"<body>" +
"<div id='testdiv'>blocked</div>" +
"<script type='text/javascript'>" +
"document.getElementById('testdiv').innerHTML = 'allowed';" +
"</script>" +
"</body>" +
"</html>";
response.write(html);
}
