diff options
Diffstat (limited to 'testing/web-platform/tests/import-maps/csp')
7 files changed, 172 insertions, 0 deletions
diff --git a/testing/web-platform/tests/import-maps/csp/applied-to-target-dynamic.sub.html b/testing/web-platform/tests/import-maps/csp/applied-to-target-dynamic.sub.html new file mode 100644 index 0000000000..2c73803206 --- /dev/null +++ b/testing/web-platform/tests/import-maps/csp/applied-to-target-dynamic.sub.html @@ -0,0 +1,26 @@ +<!DOCTYPE html> +<html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="../resources/test-helper.js"></script> +<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> +<script type="importmap"> +{ + "imports": { + "../resources/log.js?pipe=sub&name=A": "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=B", + "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C": "../resources/log.js?pipe=sub&name=D" + } +} +</script> +<script> +promise_test(t => { + return promise_rejects_js(t, TypeError, + import('../resources/log.js?pipe=sub&name=A'), + 'Dynamic import should fail'); + }, 'The URL after mapping violates CSP (but not the URL before mapping)'); + +promise_test(t => { + return import('https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C') + .then(() => assert_array_equals(log, ["log:D"])); + }, 'The URL before mapping violates CSP (but not the URL after mapping)'); +</script> diff --git a/testing/web-platform/tests/import-maps/csp/applied-to-target.sub.html b/testing/web-platform/tests/import-maps/csp/applied-to-target.sub.html new file mode 100644 index 0000000000..e6bbfecd0d --- /dev/null +++ b/testing/web-platform/tests/import-maps/csp/applied-to-target.sub.html @@ -0,0 +1,31 @@ +<!DOCTYPE html> +<html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script src="../resources/test-helper.js"></script> +<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> +<script type="importmap"> +{ + "imports": { + "../resources/log.js?pipe=sub&name=A": "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=B", + "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C": "../resources/log.js?pipe=sub&name=D" + } +} +</script> +<script type="module"> +import '../resources/log.js?pipe=sub&name=A'; +</script> +<script type="module"> +test(t => { + assert_array_equals(log, []); + }, 'The URL after mapping violates CSP (but not the URL before mapping)'); +</script> + +<script type="module"> +import 'https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C'; +</script> +<script type="module"> +test(t => { + assert_array_equals(log, ["log:D"]); + }, 'The URL before mapping violates CSP (but not the URL after mapping)'); +</script> diff --git a/testing/web-platform/tests/import-maps/csp/hash-failure.html b/testing/web-platform/tests/import-maps/csp/hash-failure.html new file mode 100644 index 0000000000..4bab1ed917 --- /dev/null +++ b/testing/web-platform/tests/import-maps/csp/hash-failure.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-wrong9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/wrong=' 'sha256-RAsyam34o4peVe9sCebtaZWRVhqAhudem+NlcnP2Kp8=';"> + +<!-- 'sha256-P5xqp9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/1PO1I=' --> +<script type="importmap"> +{ + "imports": { + "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B" + } +} +</script> + +<!-- 'sha256-RAsyam34o4peVe9sCebtaZWRVhqAhudem+NlcnP2Kp8=' --> +<script> +const log = []; +promise_test(() => { + return import("../resources/log.js?pipe=sub&name=A") + .then(() => assert_array_equals(log, ["log:A"])) + }, + 'Importmap should not be accepted due to wrong hash'); +</script> diff --git a/testing/web-platform/tests/import-maps/csp/hash.html b/testing/web-platform/tests/import-maps/csp/hash.html new file mode 100644 index 0000000000..868c5beb81 --- /dev/null +++ b/testing/web-platform/tests/import-maps/csp/hash.html @@ -0,0 +1,24 @@ +<!DOCTYPE html> +<html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-P5xqp9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/1PO1I=' 'sha256-Ciqph+wQDoB2suzqZVHOD0iw99WqaTUwZXRl7ATzBxc=';"> + +<!-- 'sha256-P5xqp9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/1PO1I=' --> +<script type="importmap"> +{ + "imports": { + "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B" + } +} +</script> + +<!-- 'sha256-Ciqph+wQDoB2suzqZVHOD0iw99WqaTUwZXRl7ATzBxc=' --> +<script> +const log = []; +promise_test(() => { + return import("../resources/log.js?pipe=sub&name=A") + .then(() => assert_array_equals(log, ["log:B"])) + }, + 'Importmap should be accepted due to hash'); +</script> diff --git a/testing/web-platform/tests/import-maps/csp/nonce-failure.html b/testing/web-platform/tests/import-maps/csp/nonce-failure.html new file mode 100644 index 0000000000..a1661a432a --- /dev/null +++ b/testing/web-platform/tests/import-maps/csp/nonce-failure.html @@ -0,0 +1,27 @@ +<!DOCTYPE html> +<html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';"> +<script type="importmap"> +{ + "imports": { + "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B" + } +} +</script> +<script type="importmap" nonce="wrong"> +{ + "imports": { + "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B" + } +} +</script> +<script nonce="abc"> +const log = []; +promise_test(() => { + return import("../resources/log.js?pipe=sub&name=A") + .then(() => assert_array_equals(log, ["log:A"])) + }, + 'Importmap should be rejected due to nonce'); +</script> diff --git a/testing/web-platform/tests/import-maps/csp/nonce.html b/testing/web-platform/tests/import-maps/csp/nonce.html new file mode 100644 index 0000000000..858c572214 --- /dev/null +++ b/testing/web-platform/tests/import-maps/csp/nonce.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';"> +<script type="importmap" nonce="abc"> +{ + "imports": { + "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B" + } +} +</script> +<script nonce="abc"> +const log = []; +promise_test(() => { + return import("../resources/log.js?pipe=sub&name=A") + .then(() => assert_array_equals(log, ["log:B"])) + }, + 'Importmap should be accepted according to its correct nonce'); +</script> diff --git a/testing/web-platform/tests/import-maps/csp/unsafe-inline.html b/testing/web-platform/tests/import-maps/csp/unsafe-inline.html new file mode 100644 index 0000000000..101c33cf84 --- /dev/null +++ b/testing/web-platform/tests/import-maps/csp/unsafe-inline.html @@ -0,0 +1,20 @@ +<!DOCTYPE html> +<html> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';"> +<script type="importmap"> +{ + "imports": { + "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B" + } +} +</script> +<script> +const log = []; +promise_test(() => { + return import("../resources/log.js?pipe=sub&name=A") + .then(() => assert_array_equals(log, ["log:B"])) + }, + 'Importmap should be accepted due to unsafe-inline'); +</script> |