1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
|
<!DOCTYPE html>
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
<body>
<script>
let frame = null;
let worker = null;
const scope = 'support/empty.html';
const script = 'support/sandboxed-service-worker.js';
// Currently, sandbox directives for workers are not specified
// https://github.com/w3c/webappsec-csp/issues/279
// and thus this test asserts that the origin of ServiceWorker is not sandboxed.
// Global setup: this must be the first promise_test.
promise_test(async (t) => {
const registration =
await service_worker_unregister_and_register(t, script, scope);
worker = registration.installing;
await wait_for_state(t, worker, 'activated');
frame = await with_iframe(scope);
// Global cleanup: the final promise_test.
promise_test(() => {
if (frame)
frame.remove();
return registration.unregister();
}, 'global cleanup');
}, 'global setup');
promise_test(async (t) => {
const r = await frame.contentWindow.fetch('/get-origin', {mode: 'cors'});
const j = await r.json();
assert_equals(j.origin, location.origin, 'Origin should not be sandboxed');
}, 'Origin of service worker');
promise_test(async (t) => {
const r = await frame.contentWindow.fetch('/get-origin',
{mode: 'same-origin'});
const j = await r.json();
assert_equals(j.origin, location.origin, 'Origin should not be opaque');
}, 'Response generated by service worker can be fetched as same-origin');
// Because the origin of service worker should be `location.origin`,
// fetches from service worker to `location.origin` should be successful.
for (const mode of ['same-origin', 'cors']) {
for (const hasACAOrigin of [true, false]) {
promise_test(async (t) => {
const final_url = new URL('/fetch/api/resources/', location);
final_url.pathname += hasACAOrigin ? 'cors-top.txt' : 'top.txt';
final_url.searchParams.set('hash', Math.random());
const url = new URL('/fetch', location);
url.searchParams.set('url', final_url);
url.searchParams.set('hash', Math.random());
const r = await frame.contentWindow.fetch(url, {mode});
const text = await r.text();
assert_equals(text, 'top');
}, 'Origin used in fetch on service worker (mode: ' +
mode +
(hasACAOrigin ? ', with ACAOrigin' : '') +
')');
}
}
</script>
|
