diff options
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html')
| -rw-r--r-- | testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html | 67 |
1 files changed, 67 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html b/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html new file mode 100644 index 0000000000..8b7d72e0ef --- /dev/null +++ b/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html @@ -0,0 +1,67 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script> +<body> +<script> +let frame = null; +let worker = null; +const scope = 'support/empty.html'; +const script = 'support/sandboxed-service-worker.js'; + +// Currently, sandbox directives for workers are not specified +// https://github.com/w3c/webappsec-csp/issues/279 +// and thus this test asserts that the origin of ServiceWorker is not sandboxed. + +// Global setup: this must be the first promise_test. +promise_test(async (t) => { + const registration = + await service_worker_unregister_and_register(t, script, scope); + worker = registration.installing; + await wait_for_state(t, worker, 'activated'); + frame = await with_iframe(scope); + + // Global cleanup: the final promise_test. + promise_test(() => { + if (frame) + frame.remove(); + return registration.unregister(); + }, 'global cleanup'); +}, 'global setup'); + +promise_test(async (t) => { + const r = await frame.contentWindow.fetch('/get-origin', {mode: 'cors'}); + const j = await r.json(); + assert_equals(j.origin, location.origin, 'Origin should not be sandboxed'); +}, 'Origin of service worker'); + +promise_test(async (t) => { + const r = await frame.contentWindow.fetch('/get-origin', + {mode: 'same-origin'}); + const j = await r.json(); + assert_equals(j.origin, location.origin, 'Origin should not be opaque'); +}, 'Response generated by service worker can be fetched as same-origin'); + +// Because the origin of service worker should be `location.origin`, +// fetches from service worker to `location.origin` should be successful. +for (const mode of ['same-origin', 'cors']) { + for (const hasACAOrigin of [true, false]) { + promise_test(async (t) => { + const final_url = new URL('/fetch/api/resources/', location); + final_url.pathname += hasACAOrigin ? 'cors-top.txt' : 'top.txt'; + final_url.searchParams.set('hash', Math.random()); + + const url = new URL('/fetch', location); + url.searchParams.set('url', final_url); + url.searchParams.set('hash', Math.random()); + const r = await frame.contentWindow.fetch(url, {mode}); + const text = await r.text(); + assert_equals(text, 'top'); + }, 'Origin used in fetch on service worker (mode: ' + + mode + + (hasACAOrigin ? ', with ACAOrigin' : '') + + ')'); + } +} +</script> |