1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
<!DOCTYPE html>
<title>DedicatedWorker: CSP for ES Modules</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>
async function openWindow(url) {
const win = window.open(url, '_blank');
add_result_callback(() => win.close());
const msg_event = await new Promise(resolve => window.onmessage = resolve);
assert_equals(msg_event.data, 'LOADED');
return win;
}
function import_csp_test(
cspHeader, importType, expectedImportedModules, description) {
// Append CSP header to windowURL for static import tests since static import
// scripts should obey Window's CSP.
const windowURL = `resources/new-worker-window.html` +
`${importType === 'static'
? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')'
: ''}`;
// Append CSP header to scriptURL for dynamic import tests since dynamic
// import scripts should obey Worker script's response's CSP.
const scriptURL = `${importType}-import-remote-origin-script-worker.sub.js` +
`${importType === 'dynamic'
? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')'
: ''}`;
promise_test(async () => {
const win = await openWindow(windowURL);
// Ask the window to start a dedicated worker.
win.postMessage(scriptURL, '*');
const msg_event = await new Promise(resolve => window.onmessage = resolve);
assert_array_equals(msg_event.data, expectedImportedModules);
}, description);
}
// Tests for static import.
//
// Static import should obey the worker-src directive and the script-src
// directive. If the both directives are specified, the worker-src directive
// should be prioritized.
//
// Step 1: "If the result of executing 6.6.1.11 Get the effective directive for
// request on request is "worker-src", and policy contains a directive whose
// name is "worker-src", return "Allowed"."
// "Note: If worker-src is present, we’ll defer to it when handling worker
// requests."
// https://w3c.github.io/webappsec-csp/#script-src-pre-request
import_csp_test(
"worker-src 'self' 'unsafe-inline'",
"static",
['ERROR'],
"worker-src 'self' directive should disallow cross origin static import.");
import_csp_test(
"worker-src * 'unsafe-inline'",
"static",
["export-on-load-script.js"],
"worker-src * directive should allow cross origin static import.")
import_csp_test(
"script-src 'self' 'unsafe-inline'",
"static",
['ERROR'],
"script-src 'self' directive should disallow cross origin static import.");
import_csp_test(
"script-src * 'unsafe-inline'",
"static",
["export-on-load-script.js"],
"script-src * directive should allow cross origin static import.")
import_csp_test(
"worker-src *; script-src 'self' 'unsafe-inline'",
"static",
["export-on-load-script.js"],
"worker-src * directive should override script-src 'self' directive and " +
"allow cross origin static import.");
import_csp_test(
"worker-src 'self'; script-src * 'unsafe-inline'",
"static",
['ERROR'],
"worker-src 'self' directive should override script-src * directive and " +
"disallow cross origin static import.");
// For static imports on workers, the effective directive should be 'worker-src'.
// https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request
//
// The directive fallback list of 'worker-src' doesn't contain 'script-src-elem'
// https://w3c.github.io/webappsec-csp/#directive-fallback-list
import_csp_test(
"script-src-elem 'self' 'unsafe-inline'",
"static",
["export-on-load-script.js"],
"script-src-elem 'self' directive should not take effect on static import.");
// Tests for dynamic import.
//
// Dynamic import should obey the script-src directive instead of the worker-src
// directive according to the specs:
//
// Dynamic import has the "script" destination.
// Step 2.4: "Fetch a module script graph given url, ..., "script", ..."
// https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability)
//
// The "script" destination should obey the script-src CSP directive.
// Step 2: "If request's destination is script-like:"
// https://w3c.github.io/webappsec-csp/#script-src-pre-request
import_csp_test(
"script-src 'self' 'unsafe-inline'",
"dynamic",
['ERROR'],
"script-src 'self' directive should disallow cross origin dynamic import.");
// For dynamic imports, the effective directive should be 'script-src-elem'.
// https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request
import_csp_test(
"script-src-elem 'self' 'unsafe-inline'",
"dynamic",
['ERROR'],
"script-src-elem 'self' directive should disallow cross origin dynamic import.");
import_csp_test(
"script-src * 'unsafe-inline'",
"dynamic",
["export-on-load-script.js"],
"script-src * directive should allow cross origin dynamic import.")
import_csp_test(
"worker-src 'self' 'unsafe-inline'",
"dynamic",
["export-on-load-script.js"],
"worker-src 'self' directive should not take effect on dynamic import.");
</script>
|
