summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/generic/test-case.sub.js
blob: d9a6494dd36af93f0e66209525caf6de37e9368b (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
function TestCase(scenarios, sanityChecker) {
  function runTest(scenario) {
    sanityChecker.checkScenario(scenario, subresourceMap);

    const urls = getRequestURLs(scenario.subresource,
                                scenario.origin,
                                scenario.redirection);

    /** @type {Subresource} */
    const subresource = {
      subresourceType: scenario.subresource,
      url: urls.testUrl,
      policyDeliveries: scenario.subresource_policy_deliveries,
    };

    let violationEventResolve;
    // Resolved with an array of securitypolicyviolation events.
    const violationEventPromise = new Promise(resolve => {
        violationEventResolve = resolve;
      });

    promise_test(async t => {
      await xhrRequest(urls.announceUrl);

      // Currently only requests from top-level Documents are tested
      // (specified by `spec.src.json`) and thus securitypolicyviolation
      // events are assumed to be fired on the top-level Document here.
      // When adding non-top-level Document tests, securitypolicyviolation
      // events should be caught in appropriate contexts.
      const violationEvents = [];
      const listener = e => { violationEvents.push(e); };
      document.addEventListener('securitypolicyviolation', listener);

      try {
        // Send out the real resource request.
        // This should tear down the key if it's not blocked.
        const mainPromise = invokeRequest(subresource, scenario.source_context_list);
        if (scenario.expectation === 'allowed') {
          await mainPromise;
        } else {
          await mainPromise
              .then(t.unreached_func('main promise resolved unexpectedly'))
              .catch(_ => {});
        }
      } finally {
        // Always perform post-processing/clean up for
        // 'securitypolicyviolation' events and resolve
        // `violationEventPromise`, to prevent timeout of the
        // promise_test() below.

        // securitypolicyviolation events are fired in a queued task in
        // https://w3c.github.io/webappsec-csp/#report-violation
        // so wait for queued tasks to run using setTimeout().
        let timeout = 0;
        if (scenario.subresource.startsWith('worklet-') &&
            navigator.userAgent.includes("Firefox/")) {
          // https://bugzilla.mozilla.org/show_bug.cgi?id=1808911
          // In Firefox sometimes violations from Worklets are delayed.
          timeout = 10;
        }
        await new Promise(resolve => setTimeout(resolve, timeout));

        // Pass violation events to `violationEventPromise` (which will be tested
        // in the subsequent promise_test()) and clean up the listener.
        violationEventResolve(violationEvents);
        document.removeEventListener('securitypolicyviolation', listener);
      }

      // Send request to check if the key has been torn down.
      const assertResult = await xhrRequest(urls.assertUrl);

      // Now check if the value has been torn down. If it's still there,
      // we have blocked the request by content security policy.
      assert_equals(assertResult.status, scenario.expectation,
        "The resource request should be '" + scenario.expectation + "'.");

    }, scenario.test_description);

    promise_test(async _ => {
        const violationEvents = await violationEventPromise;
        if (scenario.expectation === 'allowed') {
          assert_array_equals(violationEvents, [],
              'no violation events should be fired');
        } else {
          assert_equals(violationEvents.length, 1,
              'One violation event should be fired');
        }
      }, scenario.test_description + ": securitypolicyviolation");
  }  // runTest

  function runTests() {
    for (const scenario of scenarios) {
      runTest(scenario);
    }
  }

  return {start: runTests};
}