1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
|
function TestCase(scenarios, sanityChecker) {
function runTest(scenario) {
sanityChecker.checkScenario(scenario, subresourceMap);
const urls = getRequestURLs(scenario.subresource,
scenario.origin,
scenario.redirection);
/** @type {Subresource} */
const subresource = {
subresourceType: scenario.subresource,
url: urls.testUrl,
policyDeliveries: scenario.subresource_policy_deliveries,
};
let violationEventResolve;
// Resolved with an array of securitypolicyviolation events.
const violationEventPromise = new Promise(resolve => {
violationEventResolve = resolve;
});
promise_test(async t => {
await xhrRequest(urls.announceUrl);
// Currently only requests from top-level Documents are tested
// (specified by `spec.src.json`) and thus securitypolicyviolation
// events are assumed to be fired on the top-level Document here.
// When adding non-top-level Document tests, securitypolicyviolation
// events should be caught in appropriate contexts.
const violationEvents = [];
const listener = e => { violationEvents.push(e); };
document.addEventListener('securitypolicyviolation', listener);
try {
// Send out the real resource request.
// This should tear down the key if it's not blocked.
const mainPromise = invokeRequest(subresource, scenario.source_context_list);
if (scenario.expectation === 'allowed') {
await mainPromise;
} else {
await mainPromise
.then(t.unreached_func('main promise resolved unexpectedly'))
.catch(_ => {});
}
} finally {
// Always perform post-processing/clean up for
// 'securitypolicyviolation' events and resolve
// `violationEventPromise`, to prevent timeout of the
// promise_test() below.
// securitypolicyviolation events are fired in a queued task in
// https://w3c.github.io/webappsec-csp/#report-violation
// so wait for queued tasks to run using setTimeout().
let timeout = 0;
if (scenario.subresource.startsWith('worklet-') &&
navigator.userAgent.includes("Firefox/")) {
// https://bugzilla.mozilla.org/show_bug.cgi?id=1808911
// In Firefox sometimes violations from Worklets are delayed.
timeout = 10;
}
await new Promise(resolve => setTimeout(resolve, timeout));
// Pass violation events to `violationEventPromise` (which will be tested
// in the subsequent promise_test()) and clean up the listener.
violationEventResolve(violationEvents);
document.removeEventListener('securitypolicyviolation', listener);
}
// Send request to check if the key has been torn down.
const assertResult = await xhrRequest(urls.assertUrl);
// Now check if the value has been torn down. If it's still there,
// we have blocked the request by content security policy.
assert_equals(assertResult.status, scenario.expectation,
"The resource request should be '" + scenario.expectation + "'.");
}, scenario.test_description);
promise_test(async _ => {
const violationEvents = await violationEventPromise;
if (scenario.expectation === 'allowed') {
assert_array_equals(violationEvents, [],
'no violation events should be fired');
} else {
assert_equals(violationEvents.length, 1,
'One violation event should be fired');
}
}, scenario.test_description + ": securitypolicyviolation");
} // runTest
function runTests() {
for (const scenario of scenarios) {
runTest(scenario);
}
}
return {start: runTests};
}
|