Source code

Revision control

Copy as Markdown

Other Tools

import os, sys, json
from urllib.parse import unquote
from wptserve.utils import isomorphic_decode
import importlib
subresource = importlib.import_module("")
def get_csp_value(value):
Returns actual CSP header values (e.g. "worker-src 'self'") for the
given string used in PolicyDelivery's value (e.g. "worker-src-self").
# script-src
# Test-related scripts like testharness.js and inline scripts containing
# test bodies.
# 'unsafe-inline' is added as a workaround here. This is probably not so
# bad, as it shouldn't intefere non-inline-script requests that we want to
# test.
if value == 'script-src-wildcard':
return "script-src * 'unsafe-inline'"
if value == 'script-src-self':
return "script-src 'self' 'unsafe-inline'"
# Workaround for "script-src 'none'" would be more complicated, because
# - "script-src 'none' 'unsafe-inline'" is handled somehow differently from
# "script-src 'none'", i.e.
# handles the latter but not the former.
# - We need nonce- or path-based additional values to allow same-origin
# test scripts like testharness.js.
# Therefore, we disable 'script-src-none' tests for now in
# `/content-security-policy/spec.src.json`.
if value == 'script-src-none':
return "script-src 'none'"
# worker-src
if value == 'worker-src-wildcard':
return 'worker-src *'
if value == 'worker-src-self':
return "worker-src 'self'"
if value == 'worker-src-none':
return "worker-src 'none'"
raise Exception('Invalid delivery_value: %s' % value)
def generate_payload(request):
import_url = unquote(isomorphic_decode(request.GET[b'import_url']))
return subresource.get_template(u"static-import.js.template") % {
u"import_url": import_url
def main(request, response):
def payload_generator(_): return generate_payload(request)
maybe_additional_headers = {}
if b'contentSecurityPolicy' in request.GET:
csp = unquote(isomorphic_decode(request.GET[b'contentSecurityPolicy']))
maybe_additional_headers[b'Content-Security-Policy'] = get_csp_value(csp)
payload_generator = payload_generator,
content_type = b"application/javascript",
maybe_additional_headers = maybe_additional_headers)