testing/web-platform/tests/html/cross-origin-embedder-policy/dedicated-worker-cache-storage.https.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128

<!doctype html>
<html>
<title> Check enforcement of COEP in a DedicatedWorker using CacheStorage. </title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script>
// See also: ./shared-worker-cache-storage.https.html

function remote(path) {
  const REMOTE_ORIGIN = get_host_info().HTTPS_REMOTE_ORIGIN;
  return new URL(path, REMOTE_ORIGIN);
}

const iframe_path = "./resources/iframe.html?pipe=";
const dedicated_worker_path = "./universal-worker.js?pipe=";
const ressource_path = "/images/blue.png?pipe=";

const coep_header= {
  "coep-none"         : "",
  "coep-require-corp" : "|header(Cross-Origin-Embedder-Policy,require-corp)",
}

const corp_header = {
  "corp-undefined": "",
  "corp-cross-origin": "|header(Cross-Origin-Resource-Policy,cross-origin)",
}

// Check enforcement of COEP in a DedicatedWorker using CacheStorage.
//
// 1) Fetch a response from a document with COEP:none. Store it in the
//    CacheStorage. The response is cross-origin without any CORS header.
// 2) From an iframe, start a DedicatedWorker and try to retrieve the response
//    from the CacheStorage.
//
// Test parameters:
// - |iframe_coep| the COEP header of the iframe's document response
// - |worker_coep| the COEP header of the DedicatedWorker's script response.
// - |response_corp| the CORP header of the response.
//
// Test expectations:
// |result|
//   - "success" when the worker is able to fetch the response from the
//     CacheStorage,
//   - "failure" when the worker is not able to fetch the response from the
//     CacheStorage, and
//   - "error" when it is unable to create a worker.
// https://mikewest.github.io/corpp/#initialize-embedder-policy-for-global
function check(
  // Test parameters:
  iframe_coep,
  worker_coep,
  response_corp,

  // Test expectations:
  result) {

  promise_test(async (t) => {
    // 1) Fetch a response from a document with COEP:none. Store it in the
    //    CacheStorage. The response is cross-origin without any CORS header.
    const resource_path = ressource_path + corp_header[response_corp];
    const resource_url = remote(resource_path);
    const fetch_request = new Request(resource_url, {mode: 'no-cors'});
    const cache = await caches.open('v1');
    const fetch_response = await fetch(fetch_request);
    await cache.put(fetch_request, fetch_response);

    // 2) From an iframe, start a DedicatedWorker and try to retrieve the
    //    response from the CacheStorage.
    const worker_url = dedicated_worker_path + coep_header[worker_coep];
    const worker_eval = `
      (async function() {
        const cache = await caches.open('v1');
        const request = new Request('${resource_url}', {
          mode: 'no-cors'
        });
        try {
          const response = await cache.match(request);
          postMessage('success');
        } catch(error) {
          postMessage('failure');
        }
      })()
    `;

    const iframe_url = iframe_path + coep_header[iframe_coep];
    const iframe_eval = `
      (async function() {
        const w = new Worker('${worker_url}');
        const worker_response = new Promise(resolve => w.onmessage = resolve);
        w.onerror = () => parent.postMessage('error');
        w.postMessage(\`${worker_eval}\`);
        const response = await worker_response;
        parent.postMessage(response.data);
      })();
    `;

    const iframe = document.createElement("iframe");
    t.add_cleanup(() => iframe.remove());
    iframe.src = iframe_url;
    const iframe_loaded = new Promise(resolve => iframe.onload = resolve);
    document.body.appendChild(iframe);
    await iframe_loaded;

    const iframe_response = new Promise(resolve => {
      window.addEventListener("message", resolve);
    })
    iframe.contentWindow.postMessage(iframe_eval);

    const {data} = await iframe_response;
    assert_equals(data, result);
  }, `${iframe_coep} ${worker_coep} ${response_corp}`)
}

// -----------------------------------------------------------------------------
//    iframe_coep         , worker_coep         , response_corp       , loaded
// -----------------------------------------------------------------------------
check("coep-none"         , "coep-none"         , "corp-cross-origin" , "success");
check("coep-none"         , "coep-none"         , "corp-undefined"    , "success");
check("coep-none"         , "coep-require-corp" , "corp-cross-origin" , "success");
check("coep-none"         , "coep-require-corp" , "corp-undefined"    , "failure");
check("coep-require-corp" , "coep-none"         , "corp-cross-origin" , "error");
check("coep-require-corp" , "coep-none"         , "corp-undefined"    , "error");
check("coep-require-corp" , "coep-require-corp" , "corp-cross-origin" , "success");
check("coep-require-corp" , "coep-require-corp" , "corp-undefined"    , "failure");

</script>
</html>