| <!DOCTYPE html> |
| <title>DedicatedWorker: CSP for ES Modules</title> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script> |
| |
| async function openWindow(url) { |
| const win = window.open(url, '_blank'); |
| add_result_callback(() => win.close()); |
| const msg_event = await new Promise(resolve => window.onmessage = resolve); |
| assert_equals(msg_event.data, 'LOADED'); |
| return win; |
| } |
| |
| function import_csp_test( |
| cspHeader, scriptURL, expectedImportedModules, description) { |
| const windowURL = |
| `resources/new-worker-window.html?pipe=header(` + |
| `Content-Security-Policy, ${cspHeader})`; |
| promise_test(async () => { |
| // Open a window that has the given CSP header. |
| const win = await openWindow(windowURL); |
| // Ask the window to start a dedicated worker. The worker inherits the |
| // window's CSP header. |
| // https://w3c.github.io/webappsec-csp/#initialize-global-object-csp |
| win.postMessage(scriptURL, '*'); |
| const msg_event = await new Promise(resolve => window.onmessage = resolve); |
| assert_array_equals(msg_event.data, expectedImportedModules); |
| }, description); |
| } |
| |
| // Tests for static import. |
| // |
| // Static import should obey the worker-src directive and the script-src |
| // directive. If the both directives are specified, the worker-src directive |
| // should be prioritized. |
| // |
| // Step 1: "If the result of executing 6.6.1.11 Get the effective directive for |
| // request on request is "worker-src", and policy contains a directive whose |
| // name is "worker-src", return "Allowed"." |
| // "Note: If worker-src is present, we’ll defer to it when handling worker |
| // requests." |
| // https://w3c.github.io/webappsec-csp/#script-src-pre-request |
| |
| import_csp_test( |
| "worker-src 'self' 'unsafe-inline'", |
| "static-import-remote-origin-script-worker.sub.js", |
| ['ERROR'], |
| "worker-src 'self' directive should disallow cross origin static import."); |
| |
| import_csp_test( |
| "worker-src * 'unsafe-inline'", |
| "static-import-remote-origin-script-worker.sub.js", |
| ["export-on-load-script.js"], |
| "worker-src * directive should allow cross origin static import.") |
| |
| import_csp_test( |
| "script-src 'self' 'unsafe-inline'", |
| "static-import-remote-origin-script-worker.sub.js", |
| ['ERROR'], |
| "script-src 'self' directive should disallow cross origin static import."); |
| |
| import_csp_test( |
| "script-src * 'unsafe-inline'", |
| "static-import-remote-origin-script-worker.sub.js", |
| ["export-on-load-script.js"], |
| "script-src * directive should allow cross origin static import.") |
| |
| import_csp_test( |
| "worker-src *; script-src 'self' 'unsafe-inline'", |
| "static-import-remote-origin-script-worker.sub.js", |
| ["export-on-load-script.js"], |
| "worker-src * directive should override script-src 'self' directive and " + |
| "allow cross origin static import."); |
| |
| import_csp_test( |
| "worker-src 'self'; script-src * 'unsafe-inline'", |
| "static-import-remote-origin-script-worker.sub.js", |
| ['ERROR'], |
| "worker-src 'self' directive should override script-src * directive and " + |
| "disallow cross origin static import."); |
| |
| // Tests for dynamic import. |
| // |
| // Dynamic import should obey the script-src directive instead of the worker-src |
| // directive according to the specs: |
| // |
| // Dynamic import has the "script" destination. |
| // Step 2.4: "Fetch a module script graph given url, ..., "script", ..." |
| // https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability) |
| // |
| // The "script" destination should obey the script-src CSP directive. |
| // Step 2: "If request's destination is script-like:" |
| // https://w3c.github.io/webappsec-csp/#script-src-pre-request |
| |
| import_csp_test( |
| "script-src 'self' 'unsafe-inline'", |
| "dynamic-import-remote-origin-script-worker.sub.js", |
| ['ERROR'], |
| "script-src 'self' directive should disallow cross origin dynamic import."); |
| |
| import_csp_test( |
| "script-src * 'unsafe-inline'", |
| "dynamic-import-remote-origin-script-worker.sub.js", |
| ["export-on-load-script.js"], |
| "script-src * directive should allow cross origin dynamic import.") |
| |
| import_csp_test( |
| "worker-src 'self' 'unsafe-inline'", |
| "dynamic-import-remote-origin-script-worker.sub.js", |
| ["export-on-load-script.js"], |
| "worker-src 'self' directive should not take effect on dynamic import."); |
| |
| </script> |