1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
|
<!DOCTYPE html>
<title>CSP for subresource WebBundle (blocked cases)</title>
<link
rel="help"
href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
/>
<meta
http-equiv="Content-Security-Policy"
content="
script-src
urn:
https://web-platform.test:8444/resources/testharness.js
https://web-platform.test:8444/resources/testharnessreport.js
'unsafe-inline';
img-src
https://web-platform.test:8444/web-bundle/resources/wbn/subresource.wbn;
frame-src
urn:;
report-to
csp-group"
/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
<script type="webbundle">
{
"source": "../resources/wbn/subresource.wbn",
"resources": ["https://web-platform.test:8444/web-bundle/resources/wbn/fail.png"]
}
</script>
<script type="webbundle">
{
"source": "../resources/wbn/uuid-in-package.wbn",
"resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720",
"uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae"]
}
</script>
<script>
const uuid_bundle_url =
"https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn";
function expect_violation() {
return new Promise((resolve) => {
document.addEventListener(
"securitypolicyviolation",
(e) => {
e.stopPropagation();
resolve(e);
},
{ once: true }
);
});
}
function getReportID() {
const cookies = document.cookie.split(";");
for (var i = 0; i < cookies.length; i++) {
const name_value = cookies[i].split("=");
const cookieName = name_value[0].trim();
if (cookieName === "csp-blocked-report-id") {
return name_value[1].trim();
}
}
}
function sortReportsByEffectiveDirective(reports) {
reports.sort(
(report1, report2) =>
report1.body.effectiveDirective.localeCompare(
report2.body.effectiveDirective
) || report1.body.blockedURL.localeCompare(report2.body.blockedURL)
);
}
promise_test(async () => {
const p = expect_violation();
const img = document.createElement("img");
const error_promise = new Promise((resolve) => {
img.onerror = resolve;
});
img.src =
"https://web-platform.test:8444/web-bundle/resources/wbn/fail.png";
document.body.appendChild(img);
const e = await p;
assert_equals(e.blockedURI, img.src);
await error_promise;
}, "URL matching of CSP should be done based on the subresource URL, " +
"not on the bundle URL, when the subresource URL is HTTPS URL.");
const testCases = [
{
prefix: "uuid-in-package:",
bundle_url: uuid_bundle_url,
},
];
for (const params of testCases) {
promise_test(async () => {
const urn_uuid = params.prefix + "020111b3-437a-4c5c-ae07-adb6bbffb720";
const p = expect_violation();
const script = document.createElement("script");
script.src = urn_uuid;
document.body.appendChild(script);
const e = await p;
// Currently Chromium is reporting the bundle URL.
// TODO(crbug.com/1208659): Consider deeper integration with CSP for
// providing the both URLs.
assert_equals(e.blockedURI, params.bundle_url);
assert_equals(e.violatedDirective, "script-src-elem");
}, "URL matching of script-src CSP should be done based on the bundle URL " +
`when the subresource URL is ${params.prefix} URL.`);
promise_test(async () => {
const urn_uuid = params.prefix + "429fcc4e-0696-4bad-b099-ee9175f023ae";
const p = expect_violation();
const iframe = document.createElement("iframe");
iframe.src = urn_uuid;
const load_promise = new Promise((resolve) => {
iframe.addEventListener("load", resolve);
});
document.body.appendChild(iframe);
const e = await p;
// Currently Chromium is reporting the bundle URL.
// TODO(crbug.com/1208659): Consider deeper integration with CSP for
// providing the both URLs.
assert_equals(e.blockedURI, params.bundle_url);
assert_equals(e.violatedDirective, "frame-src");
// Make sure that the blocked iframe load is finished.
await load_promise;
// The blocked iframe is cross-origin. So accessing
// iframe.contentWindow.location should throw a SecurityError.
assert_throws_dom("SecurityError", () => {
iframe.contentWindow.location.href;
});
}, "URL matching of frame-src CSP should be done based on the bundle URL " +
`when the frame URL is ${params.prefix} URL.`);
}
promise_test(async () => {
const retrieve_report_url =
"/reporting/resources/report.py?op=retrieve_report&timeout=3&reportID=" +
getReportID();
const reports = await (await fetch(retrieve_report_url)).json();
sortReportsByEffectiveDirective(reports);
assert_equals(reports.length, 3, "Report count.");
assert_equals(reports[0].body.blockedURL, uuid_bundle_url);
assert_equals(reports[0].body.effectiveDirective, "frame-src");
assert_equals(
reports[1].body.blockedURL,
"https://web-platform.test:8444/web-bundle/resources/wbn/fail.png"
);
assert_equals(reports[1].body.effectiveDirective, "img-src");
assert_equals(reports[2].body.blockedURL, uuid_bundle_url);
assert_equals(reports[2].body.effectiveDirective, "script-src-elem");
}, "Check the CSP violation reports.");
</script>
</body>
|
