File: connect-src-self.sub.js

package info (click to toggle)
firefox-esr 115.15.0esr-1~deb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 3,659,216 kB
  • sloc: cpp: 6,676,686; javascript: 5,690,965; ansic: 3,328,546; python: 1,120,594; asm: 397,163; xml: 180,531; java: 178,838; sh: 68,930; makefile: 20,999; perl: 12,595; objc: 12,561; yacc: 4,583; cs: 3,846; pascal: 2,840; lex: 1,720; ruby: 1,079; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 54; csh: 10
file content (143 lines) | stat: -rw-r--r-- 4,756 bytes parent folder | download | duplicates (21) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
 
importScripts("{{location[server]}}/resources/testharness.js");
importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");

let base_same_origin_url =
      "{{location[server]}}/content-security-policy/support/resource.py";
let base_cross_origin_url =
      "https://{{hosts[][www]}}:{{ports[https][1]}}" +
      "/content-security-policy/support/resource.py";

// Same-origin
promise_test(t => {
  let url = `${base_same_origin_url}?same-origin-fetch`;
  assert_no_csp_event_for_url(t, url);

  return fetch(url)
    .then(t.step_func(r => assert_equals(r.status, 200)));
}, "Same-origin 'fetch()' in " + self.location.protocol +
             " with {{GET[test-name]}}");

// XHR is not available in service workers.
if (self.XMLHttpRequest) {
  promise_test(t => {
    let url = `${base_same_origin_url}?same-origin-xhr`;
    assert_no_csp_event_for_url(t, url);

    return new Promise((resolve, reject) => {
      let xhr = new XMLHttpRequest();
      xhr.open("GET", url);
      xhr.onload = resolve;
      xhr.onerror = _ => reject("xhr.open should success.");
      xhr.send();
    });
  }, "Same-origin XHR in " + self.location.protocol +
               " with {{GET[test-name]}}");
}

let fetch_cross_origin_url = `${base_cross_origin_url}?cross-origin-fetch`;

// Cross-origin
promise_test(t => {
  let url = fetch_cross_origin_url;

  return Promise.all([
    waitUntilCSPEventForURL(t, url),
    fetch(url)
        .then(t.step_func(_ => assert_unreached(
            "cross-origin fetch should have thrown.")))
        .catch(t.step_func(e => assert_true(e instanceof TypeError)))
  ]);
}, "Cross-origin 'fetch()' in " + self.location.protocol +
             " with {{GET[test-name]}}");

let xhr_cross_origin_url = `${base_cross_origin_url}?cross-origin-xhr`;

// XHR is not available in service workers.
if (self.XMLHttpRequest) {
  promise_test(t => {
    let url = xhr_cross_origin_url;

    return Promise.all([
      waitUntilCSPEventForURL(t, url),
      new Promise((resolve, reject) => {
        let xhr = new XMLHttpRequest();
        xhr.open("GET", url);
        xhr.onload = _ => reject("xhr.open should have thrown.");
        xhr.onerror = resolve;
        xhr.send();
      })
    ]);
  }, "Cross-origin XHR in " + self.location.protocol +
               " with {{GET[test-name]}}");
}

let redirect_url = `{{location[server]}}/common/redirect-opt-in.py?` +
      `status=307&location=${fetch_cross_origin_url}`;

// Same-origin redirecting to cross-origin
promise_test(t => {
  let url = redirect_url;

  return Promise.all([
    waitUntilCSPEventForURL(t, url),
    fetch(url)
        .then(t.step_func(_ => assert_unreached(
            "cross-origin redirect should have thrown.")))
      .catch(t.step_func(e => assert_true(e instanceof TypeError)))
  ]);
}, "Same-origin => cross-origin 'fetch()' in " + self.location.protocol +
             " with {{GET[test-name]}}");


let websocket_url = "wss://{{host}}:{{ports[wss][0]}}/echo";

// The WebSocket URL is not the same as 'self'
promise_test(t => {
  return Promise.all([
    waitUntilCSPEventForURL(t, websocket_url),
    new Promise((resolve, reject) => {
      // Firefox throws in the constructor, Chrome triggers the error event.
      try {
        let ws = new WebSocket(websocket_url);
        ws.onerror = resolve;
        ws.onopen = reject; // unexpected
      } catch (e) {
        resolve();
      }
    })
  ]);
}, "WebSocket in " + self.location.protocol + " with {{GET[test-name]}}");

let expected_blocked_urls = self.XMLHttpRequest
    ? [ fetch_cross_origin_url, xhr_cross_origin_url, redirect_url, websocket_url ]
    : [ fetch_cross_origin_url, redirect_url, websocket_url ];

promise_test(async t => {
  let report_url = `{{location[server]}}/reporting/resources/report.py` +
      `?op=retrieve_report&reportID={{GET[id]}}` +
      `&min_count=${expected_blocked_urls.length}`;

  let response = await fetch(report_url);
  assert_equals(response.status, 200, "Fetching reports failed");

  let response_json = await response.json();
  let reports = response_json.map(x => x["csp-report"]);

  assert_array_equals(
      reports.map(x => x["blocked-uri"]).sort(),
      expected_blocked_urls.sort(),
      "Reports do not match");
  reports.forEach(x => {
    assert_equals(
        x["violated-directive"], "connect-src",
        "Violated directive in report does not match");
    assert_equals(
        x["effective-directive"], "connect-src",
        "Effective directive in report does not match");
    assert_equals(
        x["disposition"], "enforce",
        "Effective directive in report does not match");
  });
}, "Reports match in " + self.location.protocol + " with {{GET[test-name]}}");

done();