testing/web-platform/tests/web-bundle/subresource-loading/csp-allowed.https.tentative.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60

<!DOCTYPE html>
<title>CSP for subresource WebBundle (allowed cases)</title>
<link
  rel="help"
  href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
/>
<meta
  http-equiv="Content-Security-Policy"
  content="
    script-src
      https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn
      https://web-platform.test:8444/resources/testharness.js
      https://web-platform.test:8444/resources/testharnessreport.js
      'unsafe-inline';
    img-src
      https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"
/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
  <script type="webbundle">
    {
      "source": "../resources/wbn/subresource.wbn",
      "resources": ["https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"]
    }
  </script>
  <script type="webbundle">
    {
      "source": "../resources/wbn/uuid-in-package.wbn",
      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"
      ]
    }
  </script>
  <script>
    promise_test(() => {
      return new Promise((resolve, reject) => {
        const img = document.createElement("img");
        img.src =
          "https://web-platform.test:8444/web-bundle/resources/wbn/pass.png";
        img.onload = resolve;
        img.onerror = reject;
        document.body.appendChild(img);
      });
    }, "URL matching of CSP should be done based on the subresource URL " +
       "when the subresource URL is HTTPS URL.");

    promise_test(async () => {
      const result = await new Promise((resolve) => {
        // This function will be called from the script.
        window.report_result = resolve;
        const script = document.createElement("script");
        script.src = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720";
        document.body.appendChild(script);
      });
      assert_equals(result, "OK");
    }, "URL matching of script-src CSP should be done based on the bundle URL " +
       "when the subresource URL is uuid-in-package: URL.");

  </script>
</body>