summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/import-maps/csp
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/import-maps/csp')
-rw-r--r--testing/web-platform/tests/import-maps/csp/applied-to-target-dynamic.sub.html26
-rw-r--r--testing/web-platform/tests/import-maps/csp/applied-to-target.sub.html31
-rw-r--r--testing/web-platform/tests/import-maps/csp/hash-failure.html24
-rw-r--r--testing/web-platform/tests/import-maps/csp/hash.html24
-rw-r--r--testing/web-platform/tests/import-maps/csp/nonce-failure.html27
-rw-r--r--testing/web-platform/tests/import-maps/csp/nonce.html20
-rw-r--r--testing/web-platform/tests/import-maps/csp/unsafe-inline.html20
7 files changed, 172 insertions, 0 deletions
diff --git a/testing/web-platform/tests/import-maps/csp/applied-to-target-dynamic.sub.html b/testing/web-platform/tests/import-maps/csp/applied-to-target-dynamic.sub.html
new file mode 100644
index 0000000000..2c73803206
--- /dev/null
+++ b/testing/web-platform/tests/import-maps/csp/applied-to-target-dynamic.sub.html
@@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/test-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+<script type="importmap">
+{
+ "imports": {
+ "../resources/log.js?pipe=sub&name=A": "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=B",
+ "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C": "../resources/log.js?pipe=sub&name=D"
+ }
+}
+</script>
+<script>
+promise_test(t => {
+ return promise_rejects_js(t, TypeError,
+ import('../resources/log.js?pipe=sub&name=A'),
+ 'Dynamic import should fail');
+ }, 'The URL after mapping violates CSP (but not the URL before mapping)');
+
+promise_test(t => {
+ return import('https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C')
+ .then(() => assert_array_equals(log, ["log:D"]));
+ }, 'The URL before mapping violates CSP (but not the URL after mapping)');
+</script>
diff --git a/testing/web-platform/tests/import-maps/csp/applied-to-target.sub.html b/testing/web-platform/tests/import-maps/csp/applied-to-target.sub.html
new file mode 100644
index 0000000000..e6bbfecd0d
--- /dev/null
+++ b/testing/web-platform/tests/import-maps/csp/applied-to-target.sub.html
@@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/test-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+<script type="importmap">
+{
+ "imports": {
+ "../resources/log.js?pipe=sub&name=A": "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=B",
+ "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C": "../resources/log.js?pipe=sub&name=D"
+ }
+}
+</script>
+<script type="module">
+import '../resources/log.js?pipe=sub&name=A';
+</script>
+<script type="module">
+test(t => {
+ assert_array_equals(log, []);
+ }, 'The URL after mapping violates CSP (but not the URL before mapping)');
+</script>
+
+<script type="module">
+import 'https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C';
+</script>
+<script type="module">
+test(t => {
+ assert_array_equals(log, ["log:D"]);
+ }, 'The URL before mapping violates CSP (but not the URL after mapping)');
+</script>
diff --git a/testing/web-platform/tests/import-maps/csp/hash-failure.html b/testing/web-platform/tests/import-maps/csp/hash-failure.html
new file mode 100644
index 0000000000..4bab1ed917
--- /dev/null
+++ b/testing/web-platform/tests/import-maps/csp/hash-failure.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-wrong9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/wrong=' 'sha256-RAsyam34o4peVe9sCebtaZWRVhqAhudem+NlcnP2Kp8=';">
+
+<!-- 'sha256-P5xqp9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/1PO1I=' -->
+<script type="importmap">
+{
+ "imports": {
+ "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+ }
+}
+</script>
+
+<!-- 'sha256-RAsyam34o4peVe9sCebtaZWRVhqAhudem+NlcnP2Kp8=' -->
+<script>
+const log = [];
+promise_test(() => {
+ return import("../resources/log.js?pipe=sub&name=A")
+ .then(() => assert_array_equals(log, ["log:A"]))
+ },
+ 'Importmap should not be accepted due to wrong hash');
+</script>
diff --git a/testing/web-platform/tests/import-maps/csp/hash.html b/testing/web-platform/tests/import-maps/csp/hash.html
new file mode 100644
index 0000000000..868c5beb81
--- /dev/null
+++ b/testing/web-platform/tests/import-maps/csp/hash.html
@@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-P5xqp9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/1PO1I=' 'sha256-Ciqph+wQDoB2suzqZVHOD0iw99WqaTUwZXRl7ATzBxc=';">
+
+<!-- 'sha256-P5xqp9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/1PO1I=' -->
+<script type="importmap">
+{
+ "imports": {
+ "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+ }
+}
+</script>
+
+<!-- 'sha256-Ciqph+wQDoB2suzqZVHOD0iw99WqaTUwZXRl7ATzBxc=' -->
+<script>
+const log = [];
+promise_test(() => {
+ return import("../resources/log.js?pipe=sub&name=A")
+ .then(() => assert_array_equals(log, ["log:B"]))
+ },
+ 'Importmap should be accepted due to hash');
+</script>
diff --git a/testing/web-platform/tests/import-maps/csp/nonce-failure.html b/testing/web-platform/tests/import-maps/csp/nonce-failure.html
new file mode 100644
index 0000000000..a1661a432a
--- /dev/null
+++ b/testing/web-platform/tests/import-maps/csp/nonce-failure.html
@@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';">
+<script type="importmap">
+{
+ "imports": {
+ "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+ }
+}
+</script>
+<script type="importmap" nonce="wrong">
+{
+ "imports": {
+ "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+ }
+}
+</script>
+<script nonce="abc">
+const log = [];
+promise_test(() => {
+ return import("../resources/log.js?pipe=sub&name=A")
+ .then(() => assert_array_equals(log, ["log:A"]))
+ },
+ 'Importmap should be rejected due to nonce');
+</script>
diff --git a/testing/web-platform/tests/import-maps/csp/nonce.html b/testing/web-platform/tests/import-maps/csp/nonce.html
new file mode 100644
index 0000000000..858c572214
--- /dev/null
+++ b/testing/web-platform/tests/import-maps/csp/nonce.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';">
+<script type="importmap" nonce="abc">
+{
+ "imports": {
+ "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+ }
+}
+</script>
+<script nonce="abc">
+const log = [];
+promise_test(() => {
+ return import("../resources/log.js?pipe=sub&name=A")
+ .then(() => assert_array_equals(log, ["log:B"]))
+ },
+ 'Importmap should be accepted according to its correct nonce');
+</script>
diff --git a/testing/web-platform/tests/import-maps/csp/unsafe-inline.html b/testing/web-platform/tests/import-maps/csp/unsafe-inline.html
new file mode 100644
index 0000000000..101c33cf84
--- /dev/null
+++ b/testing/web-platform/tests/import-maps/csp/unsafe-inline.html
@@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+<script type="importmap">
+{
+ "imports": {
+ "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+ }
+}
+</script>
+<script>
+const log = [];
+promise_test(() => {
+ return import("../resources/log.js?pipe=sub&name=A")
+ .then(() => assert_array_equals(log, ["log:B"]))
+ },
+ 'Importmap should be accepted due to unsafe-inline');
+</script>