1 // Custom *.sjs specifically for the needs of Bug
2 // Bug 1139297 - Implement CSP upgrade-insecure-requests directive
4 Components.utils.import("resource://gre/modules/NetUtil.jsm");
7 const IMG_BYTES = atob(
8 "iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12" +
9 "P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg==");
11 const REPORT_URI = "https://example.com/tests/dom/security/test/csp/file_upgrade_insecure_reporting_server.sjs?report";
12 const POLICY = "upgrade-insecure-requests; default-src https: 'unsafe-inline'";
13 const POLICY_RO = "default-src https: 'unsafe-inline'; report-uri " + REPORT_URI;
15 function loadHTMLFromFile(path) {
16 // Load the HTML to return in the response from file.
17 // Since it's relative to the cwd of the test runner, we start there and
18 // append to get to the actual path of the file.
20 Components.classes["@mozilla.org/file/directory_service;1"].
21 getService(Components.interfaces.nsIProperties).
22 get("CurWorkD", Components.interfaces.nsIFile);
23 var dirs = path.split("/");
24 for (var i = 0; i < dirs.length; i++) {
25 testHTMLFile.append(dirs[i]);
27 var testHTMLFileStream =
28 Components.classes["@mozilla.org/network/file-input-stream;1"].
29 createInstance(Components.interfaces.nsIFileInputStream);
30 testHTMLFileStream.init(testHTMLFile, -1, 0, 0);
31 var testHTML = NetUtil.readInputStreamToString(testHTMLFileStream, testHTMLFileStream.available());
36 function handleRequest(request, response)
38 // avoid confusing cache behaviors
39 response.setHeader("Cache-Control", "no-cache", false);
41 // (1) Store the query that will report back whether the violation report was received
42 if (request.queryString == "queryresult") {
43 response.processAsync();
44 setObjectState("queryResult", response);
48 // (2) We load a page using a CSP and a report only CSP
49 if (request.queryString == "toplevel") {
50 response.setHeader("Content-Security-Policy", POLICY, false);
51 response.setHeader("Content-Security-Policy-Report-Only", POLICY_RO, false);
52 response.setHeader("Content-Type", "text/html", false);
53 response.write(loadHTMLFromFile("tests/dom/security/test/csp/file_upgrade_insecure_reporting.html"));
57 // (3) Return the image back to the client
58 if (request.queryString == "img") {
59 response.setHeader("Content-Type", "image/png");
60 response.write(IMG_BYTES);
64 // (4) Finally we receive the report, let's return the request from (1)
65 // signaling that we received the report correctly
66 if (request.queryString == "report") {
67 getObjectState("queryResult", function(queryResponse) {
71 queryResponse.write("report-ok");
72 queryResponse.finish();
77 // we should never get here, but just in case ...
78 response.setHeader("Content-Type", "text/plain");
79 response.write("doh!");