1 files changed, 67 insertions, 0 deletions

diff --git a/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html b/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html
new file mode 100644
index 0000000000..8b7d72e0ef
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/sandbox/service-worker-sandbox.https.html
@@ -0,0 +1,67 @@
+<!DOCTYPE html>
+<meta charset="utf-8">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
+<body>
+<script>
+let frame = null;
+let worker = null;
+const scope = 'support/empty.html';
+const script = 'support/sandboxed-service-worker.js';
+
+// Currently, sandbox directives for workers are not specified
+// https://github.com/w3c/webappsec-csp/issues/279
+// and thus this test asserts that the origin of ServiceWorker is not sandboxed.
+
+// Global setup: this must be the first promise_test.
+promise_test(async (t) => {
+  const registration =
+      await service_worker_unregister_and_register(t, script, scope);
+  worker = registration.installing;
+  await wait_for_state(t, worker, 'activated');
+  frame = await with_iframe(scope);
+
+  // Global cleanup: the final promise_test.
+  promise_test(() => {
+    if (frame)
+      frame.remove();
+     return registration.unregister();
+  }, 'global cleanup');
+}, 'global setup');
+
+promise_test(async (t) => {
+  const r = await frame.contentWindow.fetch('/get-origin', {mode: 'cors'});
+  const j = await r.json();
+  assert_equals(j.origin, location.origin, 'Origin should not be sandboxed');
+}, 'Origin of service worker');
+
+promise_test(async (t) => {
+  const r = await frame.contentWindow.fetch('/get-origin',
+                                            {mode: 'same-origin'});
+  const j = await r.json();
+  assert_equals(j.origin, location.origin, 'Origin should not be opaque');
+}, 'Response generated by service worker can be fetched as same-origin');
+
+// Because the origin of service worker should be `location.origin`,
+// fetches from service worker to `location.origin` should be successful.
+for (const mode of ['same-origin', 'cors']) {
+  for (const hasACAOrigin of [true, false]) {
+    promise_test(async (t) => {
+      const final_url = new URL('/fetch/api/resources/', location);
+      final_url.pathname += hasACAOrigin ? 'cors-top.txt' : 'top.txt';
+      final_url.searchParams.set('hash', Math.random());
+
+      const url = new URL('/fetch', location);
+      url.searchParams.set('url', final_url);
+      url.searchParams.set('hash', Math.random());
+      const r = await frame.contentWindow.fetch(url, {mode});
+      const text = await r.text();
+      assert_equals(text, 'top');
+    }, 'Origin used in fetch on service worker (mode: ' +
+       mode +
+       (hasACAOrigin ? ', with ACAOrigin' : '') +
+       ')');
+  }
+}
+</script>