file_redirects_resource.sjs

Enable keyboard shortcuts

// SJS file to serve resources for CSP redirect tests

// This file mimics serving resources, e.g. fonts, images, etc., which a CSP

// can include. The resource may redirect to a different resource, if specified.

function handleRequest(request, response) {

  var query = {};

  request.queryString.split("&").forEach(function (val) {

    var [name, value] = val.split("=");

    query[name] = unescape(value);

});

  var thisSite = "http://mochi.test:8888";

  var otherSite = "http://example.com";

  var resource = "/tests/dom/security/test/csp/file_redirects_resource.sjs";

  response.setHeader("Cache-Control", "no-cache", false);

  // redirect to a resource on this site

  if (query.redir == "same") {

    var loc = thisSite + resource + "?res=" + query.res + "&testid=" + query.id;

    response.setStatusLine("1.1", 302, "Found");

    response.setHeader("Location", loc, false);

    return;

  // redirect to a resource on a different site

  else if (query.redir == "other") {

    var loc =

      otherSite + resource + "?res=" + query.res + "&testid=" + query.id;

    response.setStatusLine("1.1", 302, "Found");

    response.setHeader("Location", loc, false);

    return;

  // not a redirect.  serve some content.

  // the content doesn't have to be valid, since we're only checking whether

  // the request for the content was sent or not.

  // downloadable font

  if (query.res == "font") {

    response.setHeader("Access-Control-Allow-Origin", "*", false);

    response.setHeader("Content-Type", "text/plain", false);

    response.write("font data...");

    return;

  // iframe with arbitrary content

  if (query.res == "iframe") {

    response.setHeader("Content-Type", "text/html", false);

    response.write("iframe content...");

    return;

  // image

  if (query.res == "image") {

    response.setHeader("Content-Type", "image/gif", false);

    response.write("image data...");

    return;

  // media content, e.g. Ogg video

  if (query.res == "media") {

    response.setHeader("Content-Type", "video/ogg", false);

    response.write("video data...");

    return;

  // plugin content, e.g. <object>

  if (query.res == "object") {

    response.setHeader("Content-Type", "text/html", false);

    response.write("object data...");

    return;

  // script

  if (query.res == "script") {

    response.setHeader("Content-Type", "application/javascript", false);

    response.write("some script...");

    return;

  // external stylesheet

  if (query.res == "style") {

    response.setHeader("Content-Type", "text/css", false);

    response.write("css data...");

    return;

  // internal stylesheet that loads an image from an external site

  if (query.res == "cssLoader") {

    let bgURL = thisSite + resource + "?redir=other&res=image&id=" + query.id;

    response.setHeader("Content-Type", "text/css", false);

    response.write("body { background:url('" + bgURL + "'); }");

    return;

  // script that loads an internal worker that uses importScripts on a redirect

  // to an external script.

  if (query.res == "loadWorkerThatMakesRequests") {

    // this creates a worker (same origin) that imports a redirecting script.

    let workerURL =

      thisSite + resource + "?res=makeRequestsWorker&id=" + query.id;

    response.setHeader("Content-Type", "application/javascript", false);

    response.write("new Worker('" + workerURL + "');");

    return;

  // script that loads an internal worker that uses importScripts on a redirect

  // to an external script.

  if (query.res == "loadBlobWorkerThatMakesRequests") {

    // this creates a worker (same origin) that imports a redirecting script.

    let workerURL =

      thisSite + resource + "?res=makeRequestsWorker&id=" + query.id;

    response.setHeader("Content-Type", "application/javascript", false);

    response.write(

      "var x = new XMLHttpRequest(); x.open('GET', '" + workerURL + "'); "

);

    response.write("x.responseType = 'blob'; x.send(); ");

    response.write(

      "x.onload = () => { new Worker(URL.createObjectURL(x.response)); };"

);

    return;

  // source for a worker that simply calls importScripts on a script that

  // redirects.

  if (query.res == "makeRequestsWorker") {

    // this is code for a worker that imports a redirected script.

    let scriptURL =

      thisSite +

      resource +

      "?redir=other&res=script&id=script-src-redir-" +

      query.id;

    let xhrURL =

      thisSite +

      resource +

      "?redir=other&res=xhr-resp&id=xhr-src-redir-" +

      query.id;

    let fetchURL =

      thisSite +

      resource +

      "?redir=other&res=xhr-resp&id=fetch-src-redir-" +

      query.id;

    response.setHeader("Content-Type", "application/javascript", false);

    response.write("try { importScripts('" + scriptURL + "'); } catch(ex) {} ");

    response.write(

      "var x = new XMLHttpRequest(); x.open('GET', '" + xhrURL + "'); x.send();"

);

    response.write("fetch('" + fetchURL + "');");

    return;

  // script that invokes XHR

  if (query.res == "xhr") {

    response.setHeader("Content-Type", "application/javascript", false);

    var resp =

      'var x = new XMLHttpRequest();x.open("GET", "' +

      thisSite +

      resource +

      '?redir=other&res=xhr-resp&id=xhr-src-redir", false);\n' +

      "x.send(null);";

    response.write(resp);

    return;

  // response to XHR

  if (query.res == "xhr-resp") {

    response.setHeader("Access-Control-Allow-Origin", "*", false);

    response.setHeader("Content-Type", "text/html", false);

    response.write("XHR response...");