testing/web-platform/tests/web-bundle/subresource-loading/csp-blockes-bundle.https.tentative.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

<!DOCTYPE html>
<title>CSP blocks WebBundle</title>
<link
  rel="help"
  href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
/>
<meta
  http-equiv="Content-Security-Policy"
  content="
    default-src
      https://web-platform.test:8444/web-bundle/resources/wbn/relative-url-file.js
      https://web-platform.test:8444/resources/testharness.js
      https://web-platform.test:8444/resources/testharnessreport.js
      https://web-platform.test:8444/web-bundle/resources/test-helpers.js
      'unsafe-inline';
    img-src
      https://web-platform.test:8444/web-bundle/resources/wbn/pass.png;"
/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="../resources/test-helpers.js"></script>
<body>
  <script>
    // This bundle should be blocked because its URL is not listed in CSP directive.
    const bundle_url =
      "https://web-platform.test:8444/web-bundle/resources/wbn/relative-url.wbn";

    const subresource_url =
      "https://web-platform.test:8444/web-bundle/resources/wbn/relative-url-file.js";

    promise_test(() => {
      // if a WebBundle is blocked by CSP,
      // - A request for the WebBundle should fail.
      // - A subresource request associated with the bundle should fail.
      // - A window.load should be fired. In other words, any request shouldn't remain
      //   pending forever.

      const window_load = new Promise((resolve) => {
        window.addEventListener("load", () => {
          resolve();
        });
      });

      const script_webbundle = createWebBundleElement(bundle_url, [
        subresource_url,
      ]);
      const webbundle_error = new Promise((resolve) => {
        script_webbundle.addEventListener("error", () => {
          resolve();
        });
      });
      document.body.appendChild(script_webbundle);

      const script_js = document.createElement("script");
      script_js.src = subresource_url;
      const script_js_error = new Promise((resolve) => {
        script_js.addEventListener("error", () => {
          resolve();
        });
      });
      document.body.appendChild(script_js);

      return Promise.all([window_load, webbundle_error, script_js_error]);
    }, "WebBundle and subresource loadings should fail when CSP blocks a WebBundle");
  </script>
</body>