147 lines
5.4 KiB
JavaScript
147 lines
5.4 KiB
JavaScript
function openWindow(url) {
|
|
return new Promise(resolve => {
|
|
const win = window.open(url, '_blank');
|
|
add_result_callback(() => win.close());
|
|
window.onmessage = e => {
|
|
assert_equals(e.data, 'LOADED');
|
|
resolve(win);
|
|
};
|
|
});
|
|
}
|
|
|
|
function openWindowAndExpectResult(windowURL, scriptURL, type, expectation) {
|
|
return openWindow(windowURL).then(win => {
|
|
const promise = new Promise(r => window.onmessage = r);
|
|
win.postMessage({ type: type, script_url: scriptURL }, '*');
|
|
return promise;
|
|
}).then(msg_event => assert_equals(msg_event.data, expectation));
|
|
}
|
|
|
|
// Runs a series of tests related to content security policy on a worklet.
|
|
//
|
|
// Usage:
|
|
// runContentSecurityPolicyTests("paint");
|
|
function runContentSecurityPolicyTests(workletType) {
|
|
runSrcTests(workletType);
|
|
runMixedContentTests(workletType);
|
|
}
|
|
|
|
// script-src and worker-src tests.
|
|
function runSrcTests(workletType) {
|
|
const kWindowConfigs = [
|
|
{
|
|
'windowURL':
|
|
'resources/addmodule-window.html?pipe=header(' +
|
|
'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')',
|
|
'crossOriginExpectation': 'REJECTED',
|
|
'message': 'should be blocked by the script-src \'self\' directive.'
|
|
},
|
|
{
|
|
'windowURL':
|
|
'resources/addmodule-window.html?pipe=header(' +
|
|
'Content-Security-Policy, script-src ' + location.origin + ' ' +
|
|
get_host_info().HTTPS_REMOTE_ORIGIN + ' \'unsafe-inline\')',
|
|
'crossOriginExpectation': 'RESOLVED',
|
|
'message':
|
|
'should not be blocked because the script-src directive ' +
|
|
'specifying the origin allows it.'
|
|
},
|
|
{
|
|
'windowURL':
|
|
'resources/addmodule-window.html?pipe=header(' +
|
|
'Content-Security-Policy, script-src * \'unsafe-inline\')',
|
|
'crossOriginExpectation': 'RESOLVED',
|
|
'message':
|
|
'should not be blocked because the script-src * directive allows it.'
|
|
},
|
|
{
|
|
'windowURL':
|
|
'resources/addmodule-window.html?pipe=header(' +
|
|
'Content-Security-Policy, worker-src \'self\' \'unsafe-inline\')',
|
|
'crossOriginExpectation': 'RESOLVED',
|
|
'message':
|
|
'should not be blocked by the worker-src directive ' +
|
|
'because worklets obey the script-src directive.'
|
|
}
|
|
];
|
|
for (const windowConfig of kWindowConfigs) {
|
|
promise_test(t => {
|
|
const kScriptURL =
|
|
get_host_info().HTTPS_REMOTE_ORIGIN +
|
|
'/worklets/resources/empty-worklet-script-with-cors-header.js';
|
|
return openWindowAndExpectResult(
|
|
windowConfig.windowURL, kScriptURL, workletType,
|
|
windowConfig.crossOriginExpectation);
|
|
},
|
|
'A remote-origin worklet ' + windowConfig.message);
|
|
|
|
promise_test(t => {
|
|
const kScriptURL = 'import-remote-origin-empty-worklet-script.sub.js';
|
|
return openWindowAndExpectResult(
|
|
windowConfig.windowURL, kScriptURL, workletType,
|
|
windowConfig.crossOriginExpectation);
|
|
},
|
|
'A same-origin worklet importing a remote-origin script ' +
|
|
windowConfig.message);
|
|
|
|
promise_test(t => {
|
|
// A worklet on HTTPS_REMOTE_ORIGIN will import a child script on
|
|
// HTTPS_REMOTE_ORIGIN.
|
|
const kScriptURL =
|
|
get_host_info().HTTPS_REMOTE_ORIGIN +
|
|
'/worklets/resources/import-empty-worklet-script-with-cors-header.js';
|
|
return openWindowAndExpectResult(
|
|
windowConfig.windowURL, kScriptURL, workletType,
|
|
windowConfig.crossOriginExpectation);
|
|
},
|
|
'A remote-origin worklet importing a remote-origin script ' +
|
|
windowConfig.message);
|
|
|
|
promise_test(t => {
|
|
const kScriptURL =
|
|
'/common/redirect.py?location=' + encodeURIComponent(
|
|
get_host_info().HTTPS_REMOTE_ORIGIN +
|
|
'/worklets/resources/empty-worklet-script-with-cors-header.js');
|
|
return openWindowAndExpectResult(
|
|
windowConfig.windowURL, kScriptURL, workletType,
|
|
windowConfig.crossOriginExpectation);
|
|
},
|
|
'A remote-origin-redirected worklet ' + windowConfig.message);
|
|
|
|
promise_test(t => {
|
|
const kScriptURL =
|
|
'import-remote-origin-redirected-empty-worklet-script.sub.js';
|
|
return openWindowAndExpectResult(
|
|
windowConfig.windowURL, kScriptURL, workletType,
|
|
windowConfig.crossOriginExpectation);
|
|
},
|
|
'A same-origin worklet importing a remote-origin-redirected script ' +
|
|
windowConfig.message);
|
|
}
|
|
}
|
|
|
|
// Mixed content tests.
|
|
function runMixedContentTests(workletType) {
|
|
const kInsecureURL =
|
|
get_host_info().HTTP_ORIGIN +
|
|
'/worklets/resources/empty-worklet-script-with-cors-header.js';
|
|
const kScriptConfigs = [
|
|
{URL: kInsecureURL,
|
|
message: 'An insecure-origin worklet'},
|
|
{URL: '/common/redirect.py?location=' + encodeURIComponent(kInsecureURL),
|
|
message: 'An insecure-origin-redirected worklet'},
|
|
{URL: 'import-insecure-origin-empty-worklet-script.sub.js',
|
|
message: 'A same-origin worklet importing an insecure-origin script'},
|
|
{URL: 'import-insecure-origin-redirected-empty-worklet-script.sub.js',
|
|
message: 'A same-origin worklet ' +
|
|
'importing an insecure-origin-redirected script'}
|
|
];
|
|
for (const scriptConfig of kScriptConfigs) {
|
|
promise_test(t => {
|
|
const kWindowURL = 'resources/addmodule-window.html';
|
|
return openWindowAndExpectResult(
|
|
kWindowURL, scriptConfig.URL, workletType, 'REJECTED');
|
|
},
|
|
scriptConfig.message + ' should be blocked because of mixed contents.');
|
|
}
|
|
}
|