1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
|
importScripts("{{location[server]}}/resources/testharness.js");
importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");
let base_same_origin_url =
"{{location[server]}}/content-security-policy/support/resource.py";
// Same-origin
promise_test(t => {
let url = `${base_same_origin_url}?same-origin-fetch`;
assert_no_csp_event_for_url(t, url);
return fetch(url)
.then(t.step_func(r => assert_equals(r.status, 200)));
}, "Same-origin 'fetch()'.");
// XHR is not available in service workers.
if (self.XMLHttpRequest) {
promise_test(t => {
let url = `${base_same_origin_url}?same-origin-xhr`;
assert_no_csp_event_for_url(t, url);
return new Promise((resolve, reject) => {
var xhr = new XMLHttpRequest();
xhr.open("GET", url);
xhr.onload = resolve;
xhr.onerror = _ => reject("xhr.open should success.");
xhr.send();
});
}, "Same-origin XHR.");
}
let base_cross_origin_url =
"https://{{hosts[][www]}}:{{ports[https][1]}}" +
"/content-security-policy/support/resource.py";
let fetch_cross_origin_url = `${base_cross_origin_url}?cross-origin-fetch`;
// Cross-origin
promise_test(t => {
let url = fetch_cross_origin_url;
return Promise.all([
waitUntilCSPEventForURL(t, url),
fetch(url)
]);
}, "Cross-origin 'fetch()'.");
let xhr_cross_origin_url = `${base_cross_origin_url}?cross-origin-xhr`;
// XHR is not available in service workers.
if (self.XMLHttpRequest) {
promise_test(t => {
let url = xhr_cross_origin_url;
return Promise.all([
waitUntilCSPEventForURL(t, url),
new Promise((resolve, reject) => {
var xhr = new XMLHttpRequest();
xhr.open("GET", url);
xhr.onload = resolve;
xhr.onerror = _ => reject("xhr.open should not have thrown.");
xhr.send();
})
]);
}, "Cross-origin XHR.");
}
let redirect_url = `{{location[server]}}/common/redirect-opt-in.py?` +
`status=307&location=${fetch_cross_origin_url}`;
// Same-origin redirecting to cross-origin
promise_test(t => {
let url = redirect_url;
return Promise.all([
waitUntilCSPEventForURL(t, url),
fetch(url)
]);
}, "Same-origin => cross-origin 'fetch()'.");
let websocket_url = "wss://{{host}}:{{ports[wss][0]}}/echo";
// The WebSocket URL is not the same as 'self'
promise_test(t => {
return Promise.all([
waitUntilCSPEventForURL(t, websocket_url),
new Promise(resolve => {
let ws = new WebSocket(websocket_url);
ws.onopen = resolve;
})
]);
}, "WebSocket.");
let expected_blocked_urls = self.XMLHttpRequest
? [ fetch_cross_origin_url, xhr_cross_origin_url, redirect_url, websocket_url ]
: [ fetch_cross_origin_url, redirect_url, websocket_url ];
promise_test(async t => {
let report_url = `{{location[server]}}/reporting/resources/report.py?` +
`?op=retrieve_report&reportID={{GET[id]}}` +
`&min_count=${expected_blocked_urls.length}`;
let response = await fetch(report_url);
assert_equals(response.status, 200, "Fetching reports failed");
let response_json = await response.json();
let reports = response_json.map(x => x["csp-report"]);
assert_array_equals(
reports.map(x => x["blocked-uri"]).sort(),
expected_blocked_urls.sort(),
"Reports do not match");
reports.forEach(x => {
assert_equals(
x["violated-directive"], "connect-src",
"Violated directive in report does not match");
assert_equals(
x["effective-directive"], "connect-src",
"Effective directive in report does not match");
assert_equals(
x["disposition"], "report",
"Disposition in report does not match");
assert_equals(
x["document-uri"],
"{{location[server]}}/content-security-policy/inside-worker/" +
"support/connect-src-self-report-only.sub.js?id={{GET[id]}}",
"Document uri in report does not match");
});
});
done();
|
