common/security-features/subresource/static-import.py - external/w3c/web-platform-tests.git - Git at Google

 import os, sys, json
 from urllib.parse import unquote

 from wptserve.utils import isomorphic_decode
 import importlib
 subresource = importlib.import_module("common.security-features.subresource.subresource")

 def get_csp_value(value):
     '''
     Returns actual CSP header values (e.g. "worker-src 'self'") for the
     given string used in PolicyDelivery's value (e.g. "worker-src-self").
     '''

     # script-src
     # Test-related scripts like testharness.js and inline scripts containing
     # test bodies.
     # 'unsafe-inline' is added as a workaround here. This is probably not so
     # bad, as it shouldn't intefere non-inline-script requests that we want to
     # test.
     if value == 'script-src-wildcard':
         return "script-src * 'unsafe-inline'"
     if value == 'script-src-self':
         return "script-src 'self' 'unsafe-inline'"
     # Workaround for "script-src 'none'" would be more complicated, because
     # - "script-src 'none' 'unsafe-inline'" is handled somehow differently from
     #   "script-src 'none'", i.e.
     #   https://w3c.github.io/webappsec-csp/#match-url-to-source-list Step 3
     #   handles the latter but not the former.
     # - We need nonce- or path-based additional values to allow same-origin
     #   test scripts like testharness.js.
     # Therefore, we disable 'script-src-none' tests for now in
     # `/content-security-policy/spec.src.json`.
     if value == 'script-src-none':
         return "script-src 'none'"

     # worker-src
     if value == 'worker-src-wildcard':
         return 'worker-src *'
     if value == 'worker-src-self':
         return "worker-src 'self'"
     if value == 'worker-src-none':
         return "worker-src 'none'"
     raise Exception('Invalid delivery_value: %s' % value)

 def generate_payload(request):
     import_url = unquote(isomorphic_decode(request.GET[b'import_url']))
     return subresource.get_template(u"static-import.js.template") % {
         u"import_url": import_url
     }

 def main(request, response):
     def payload_generator(_): return generate_payload(request)
     maybe_additional_headers = {}
     if b'contentSecurityPolicy' in request.GET:
         csp = unquote(isomorphic_decode(request.GET[b'contentSecurityPolicy']))
         maybe_additional_headers[b'Content-Security-Policy'] = get_csp_value(csp)
     subresource.respond(request,
                         response,
                         payload_generator = payload_generator,
                         content_type = b"application/javascript",
                         maybe_additional_headers = maybe_additional_headers)
	import os, sys, json
	from urllib.parse import unquote

	from wptserve.utils import isomorphic_decode
	import importlib
	subresource = importlib.import_module("common.security-features.subresource.subresource")

	def get_csp_value(value):
	'''
	Returns actual CSP header values (e.g. "worker-src 'self'") for the
	given string used in PolicyDelivery's value (e.g. "worker-src-self").
	'''

	# script-src
	# Test-related scripts like testharness.js and inline scripts containing
	# test bodies.
	# 'unsafe-inline' is added as a workaround here. This is probably not so
	# bad, as it shouldn't intefere non-inline-script requests that we want to
	# test.
	if value == 'script-src-wildcard':
	return "script-src * 'unsafe-inline'"
	if value == 'script-src-self':
	return "script-src 'self' 'unsafe-inline'"
	# Workaround for "script-src 'none'" would be more complicated, because
	# - "script-src 'none' 'unsafe-inline'" is handled somehow differently from
	# "script-src 'none'", i.e.
	# https://w3c.github.io/webappsec-csp/#match-url-to-source-list Step 3
	# handles the latter but not the former.
	# - We need nonce- or path-based additional values to allow same-origin
	# test scripts like testharness.js.
	# Therefore, we disable 'script-src-none' tests for now in
	# `/content-security-policy/spec.src.json`.
	if value == 'script-src-none':
	return "script-src 'none'"

	# worker-src
	if value == 'worker-src-wildcard':
	return 'worker-src *'
	if value == 'worker-src-self':
	return "worker-src 'self'"
	if value == 'worker-src-none':
	return "worker-src 'none'"
	raise Exception('Invalid delivery_value: %s' % value)

	def generate_payload(request):
	import_url = unquote(isomorphic_decode(request.GET[b'import_url']))
	return subresource.get_template(u"static-import.js.template") % {
	u"import_url": import_url
	}

	def main(request, response):
	def payload_generator(_): return generate_payload(request)
	maybe_additional_headers = {}
	if b'contentSecurityPolicy' in request.GET:
	csp = unquote(isomorphic_decode(request.GET[b'contentSecurityPolicy']))
	maybe_additional_headers[b'Content-Security-Policy'] = get_csp_value(csp)
	subresource.respond(request,
	response,
	payload_generator = payload_generator,
	content_type = b"application/javascript",
	maybe_additional_headers = maybe_additional_headers)