summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js
diff options
context:
space:
mode:
Diffstat (limited to 'testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js')
-rw-r--r--testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js130
1 files changed, 130 insertions, 0 deletions
diff --git a/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js
new file mode 100644
index 0000000000..c624671476
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js
@@ -0,0 +1,130 @@
+importScripts("{{location[server]}}/resources/testharness.js");
+importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");
+
+let base_same_origin_url =
+ "{{location[server]}}/content-security-policy/support/resource.py";
+
+// Same-origin
+promise_test(t => {
+ let url = `${base_same_origin_url}?same-origin-fetch`;
+ assert_no_csp_event_for_url(t, url);
+
+ return fetch(url)
+ .then(t.step_func(r => assert_equals(r.status, 200)));
+}, "Same-origin 'fetch()'.");
+
+// XHR is not available in service workers.
+if (self.XMLHttpRequest) {
+ promise_test(t => {
+ let url = `${base_same_origin_url}?same-origin-xhr`;
+ assert_no_csp_event_for_url(t, url);
+
+ return new Promise((resolve, reject) => {
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", url);
+ xhr.onload = resolve;
+ xhr.onerror = _ => reject("xhr.open should success.");
+ xhr.send();
+ });
+ }, "Same-origin XHR.");
+}
+
+let base_cross_origin_url =
+ "https://{{hosts[][www]}}:{{ports[https][1]}}" +
+ "/content-security-policy/support/resource.py";
+let fetch_cross_origin_url = `${base_cross_origin_url}?cross-origin-fetch`;
+
+// Cross-origin
+promise_test(t => {
+ let url = fetch_cross_origin_url;
+
+ return Promise.all([
+ waitUntilCSPEventForURL(t, url),
+ fetch(url)
+ ]);
+}, "Cross-origin 'fetch()'.");
+
+let xhr_cross_origin_url = `${base_cross_origin_url}?cross-origin-xhr`;
+
+// XHR is not available in service workers.
+if (self.XMLHttpRequest) {
+ promise_test(t => {
+ let url = xhr_cross_origin_url;
+
+ return Promise.all([
+ waitUntilCSPEventForURL(t, url),
+ new Promise((resolve, reject) => {
+ var xhr = new XMLHttpRequest();
+ xhr.open("GET", url);
+ xhr.onload = resolve;
+ xhr.onerror = _ => reject("xhr.open should not have thrown.");
+ xhr.send();
+ })
+ ]);
+ }, "Cross-origin XHR.");
+}
+
+let redirect_url = `{{location[server]}}/common/redirect-opt-in.py?` +
+ `status=307&location=${fetch_cross_origin_url}`;
+
+// Same-origin redirecting to cross-origin
+promise_test(t => {
+ let url = redirect_url;
+
+ return Promise.all([
+ waitUntilCSPEventForURL(t, url),
+ fetch(url)
+ ]);
+}, "Same-origin => cross-origin 'fetch()'.");
+
+let websocket_url = "wss://{{host}}:{{ports[wss][0]}}/echo";
+
+// The WebSocket URL is not the same as 'self'
+promise_test(t => {
+ return Promise.all([
+ waitUntilCSPEventForURL(t, websocket_url),
+ new Promise(resolve => {
+ let ws = new WebSocket(websocket_url);
+ ws.onopen = resolve;
+ })
+ ]);
+}, "WebSocket.");
+
+let expected_blocked_urls = self.XMLHttpRequest
+ ? [ fetch_cross_origin_url, xhr_cross_origin_url, redirect_url, websocket_url ]
+ : [ fetch_cross_origin_url, redirect_url, websocket_url ];
+
+promise_test(async t => {
+ let report_url = `{{location[server]}}/reporting/resources/report.py?` +
+ `?op=retrieve_report&reportID={{GET[id]}}` +
+ `&min_count=${expected_blocked_urls.length}`;
+
+ let response = await fetch(report_url);
+ assert_equals(response.status, 200, "Fetching reports failed");
+
+ let response_json = await response.json();
+ let reports = response_json.map(x => x["csp-report"]);
+
+ assert_array_equals(
+ reports.map(x => x["blocked-uri"]).sort(),
+ expected_blocked_urls.sort(),
+ "Reports do not match");
+ reports.forEach(x => {
+ assert_equals(
+ x["violated-directive"], "connect-src",
+ "Violated directive in report does not match");
+ assert_equals(
+ x["effective-directive"], "connect-src",
+ "Effective directive in report does not match");
+ assert_equals(
+ x["disposition"], "report",
+ "Disposition in report does not match");
+ assert_equals(
+ x["document-uri"],
+ "{{location[server]}}/content-security-policy/inside-worker/" +
+ "support/connect-src-self-report-only.sub.js?id={{GET[id]}}",
+ "Document uri in report does not match");
+ });
+});
+
+done();
generated by cgit v1.2.3 (git 2.39.1) at 2024-09-06 01:12:23 +0000