1 files changed, 32 insertions, 0 deletions

diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-script-src.https.sub.html b/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-script-src.https.sub.html
new file mode 100644
index 0000000000..5631786cc5
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/serviceworker-script-src.https.sub.html
@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'script-src' directive on service workers -->
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-a' blob: filesystem:">
+<script nonce="a">
+  [ // Service worker do not inherit CSP.
+    "./support/script-src-allow.sub.js",
+
+    // Service workers honor CSP received in their response headers.
+    "./support/script-src-self.sub.js?id={{$id1:uuid()}}" +
+      "&test-name=script-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "script-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id1}})",
+
+    // Also check that script-src falls back to default-src.
+    "./support/script-src-self.sub.js?id={{$id2:uuid()}}" +
+      "&test-name=default-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "default-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id2}})"]
+  .forEach(url => {
+    promise_test(async t => {
+      let r = await navigator.serviceWorker.register(
+        url, {scope: "./support/blank.html"});
+      t.add_cleanup(_ => r.unregister());
+      let sw = r.active || r.installing || r.waiting;
+      await fetch_tests_from_worker(sw);
+    });
+  });
+</script>