File: dedicated-worker-import-csp.html

package info (click to toggle)
thunderbird 1%3A115.16.0esr-1~deb12u1
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 3,476,252 kB
  • sloc: cpp: 6,972,150; javascript: 5,209,211; ansic: 3,507,222; python: 1,137,609; asm: 432,531; xml: 205,149; java: 175,761; sh: 116,485; makefile: 22,152; perl: 13,971; objc: 12,561; yacc: 4,583; pascal: 2,840; lex: 1,720; ruby: 1,075; exp: 762; sql: 666; awk: 580; php: 436; lisp: 430; sed: 70; csh: 10
file content (120 lines) | stat: -rw-r--r-- 4,376 bytes parent folder | download | duplicates (4) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
 
<!DOCTYPE html>
<title>DedicatedWorker: CSP for ES Modules</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script>

async function openWindow(url) {
  const win = window.open(url, '_blank');
  add_result_callback(() => win.close());
  const msg_event = await new Promise(resolve => window.onmessage = resolve);
  assert_equals(msg_event.data, 'LOADED');
  return win;
}

function import_csp_test(
    cspHeader, importType, expectedImportedModules, description) {
  // Append CSP header to windowURL for static import tests since static import
  // scripts should obey Window's CSP.
  const windowURL = `resources/new-worker-window.html` +
      `${importType === 'static'
          ? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')'
          : ''}`;
  // Append CSP header to scriptURL for dynamic import tests since dynamic
  // import scripts should obey Worker script's response's CSP.
  const scriptURL = `${importType}-import-remote-origin-script-worker.sub.js` +
      `${importType === 'dynamic'
          ? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')'
          : ''}`;
  promise_test(async () => {
    const win = await openWindow(windowURL);
    // Ask the window to start a dedicated worker.
    win.postMessage(scriptURL, '*');
    const msg_event = await new Promise(resolve => window.onmessage = resolve);
    assert_array_equals(msg_event.data, expectedImportedModules);
  }, description);
}

// Tests for static import.
//
// Static import should obey the worker-src directive and the script-src
// directive. If the both directives are specified, the worker-src directive
// should be prioritized.
//
// Step 1: "If the result of executing 6.6.1.11 Get the effective directive for
// request on request is "worker-src", and policy contains a directive whose
// name is "worker-src", return "Allowed"."
// "Note: If worker-src is present, we’ll defer to it when handling worker
// requests."
// https://w3c.github.io/webappsec-csp/#script-src-pre-request

import_csp_test(
    "worker-src 'self' 'unsafe-inline'",
    "static",
    ['ERROR'],
    "worker-src 'self' directive should disallow cross origin static import.");

import_csp_test(
    "worker-src * 'unsafe-inline'",
    "static",
    ["export-on-load-script.js"],
    "worker-src * directive should allow cross origin static import.")

import_csp_test(
    "script-src 'self' 'unsafe-inline'",
    "static",
    ['ERROR'],
    "script-src 'self' directive should disallow cross origin static import.");

import_csp_test(
    "script-src * 'unsafe-inline'",
    "static",
    ["export-on-load-script.js"],
    "script-src * directive should allow cross origin static import.")

import_csp_test(
    "worker-src *; script-src 'self' 'unsafe-inline'",
    "static",
    ["export-on-load-script.js"],
    "worker-src * directive should override script-src 'self' directive and " +
        "allow cross origin static import.");

import_csp_test(
    "worker-src 'self'; script-src * 'unsafe-inline'",
    "static",
    ['ERROR'],
    "worker-src 'self' directive should override script-src * directive and " +
        "disallow cross origin static import.");

// Tests for dynamic import.
//
// Dynamic import should obey the script-src directive instead of the worker-src
// directive according to the specs:
//
// Dynamic import has the "script" destination.
// Step 2.4: "Fetch a module script graph given url, ..., "script", ..."
// https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability)
//
// The "script" destination should obey the script-src CSP directive.
// Step 2: "If request's destination is script-like:"
// https://w3c.github.io/webappsec-csp/#script-src-pre-request

import_csp_test(
    "script-src 'self' 'unsafe-inline'",
    "dynamic",
    ['ERROR'],
    "script-src 'self' directive should disallow cross origin dynamic import.");

import_csp_test(
    "script-src * 'unsafe-inline'",
    "dynamic",
    ["export-on-load-script.js"],
    "script-src * directive should allow cross origin dynamic import.")

import_csp_test(
    "worker-src 'self' 'unsafe-inline'",
    "dynamic",
    ["export-on-load-script.js"],
    "worker-src 'self' directive should not take effect on dynamic import.");

</script>