main_csp_worker.html (13783B)
1 <!DOCTYPE HTML> 2 <html> 3 <head> 4 <title>Bug 1475849: Test CSP worker inheritance</title> 5 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" /> 6 <script src="/tests/SimpleTest/SimpleTest.js"></script> 7 <script type="application/javascript" src="worker_helper.js"></script> 8 9 </head> 10 <body> 11 <script type="application/javascript"> 12 const SJS = "worker.sjs"; 13 const SAME_BASE = "http://mochi.test:8888/tests/dom/security/test/csp/file_CSP.sjs"; 14 const CROSS_BASE = "http://example.com/tests/dom/security/test/csp/file_CSP.sjs"; 15 16 SimpleTest.waitForExplicitFinish(); 17 /* test data format : 18 { 19 id: test id, short description of test, 20 base: URL of the request in worker, 21 action: type of request in worker (fetch, xhr, importscript) 22 type: how do we create the worker, from URL or Blob, 23 csp: csp of worker, 24 child: how do we create the child worker, from URL or Blob, 25 childCsp: csp of child worker 26 expectedBlock: result when CSP policy, true or false 27 } 28 */ 29 30 // Document's CSP is defined in main_csp_worker.html^headers^ 31 // Content-Security-Policy: default-src 'self' blob: 'unsafe-inline' 32 var tests = [ 33 // create new Worker(url), worker's csp should be deliveried from header. 34 // csp should be: default-src 'self' blob: ; connect-src CROSS_BASE 35 { 36 id: "worker_url_fetch_same_bad", 37 base: SAME_BASE, 38 action: "fetch", 39 type: "url", 40 csp: "default-src 'self' blob: ; connect-src http://example.com", 41 expectBlocked: true 42 }, 43 { 44 id: "worker_url_importScripts_same_good", 45 base: SAME_BASE, 46 action: "importScripts", 47 type: "url", 48 csp: "default-src 'self' blob: ; connect-src http://example.com", 49 expectBlocked: false 50 }, 51 { 52 id: "worker_url_xhr_same_bad", 53 base: SAME_BASE, 54 action: "xhr", 55 type: "url", 56 csp: "default-src 'self' blob: ; connect-src http://example.com", 57 expectBlocked: true 58 }, 59 { 60 id: "worker_url_fetch_cross_good", 61 base: CROSS_BASE, 62 action: "fetch", 63 type: "url", 64 csp: "default-src 'self' blob: ; connect-src http://example.com", 65 expectBlocked: false 66 }, 67 { 68 id: "worker_url_importScripts_cross_bad", 69 base: CROSS_BASE, 70 action: "importScripts", 71 type: "url", 72 csp: "default-src 'self' blob: ; connect-src http://example.com", 73 expectBlocked: true 74 }, 75 { 76 id: "worker_url_xhr_cross_good", 77 base: CROSS_BASE, 78 action: "xhr", 79 type: "url", 80 csp: "default-src 'self' blob: ; connect-src http://example.com", 81 expectBlocked: false 82 }, 83 84 // create new Worker(blob:), worker's csp should be inherited from 85 // document. 86 // csp should be : default-src 'self' blob: 'unsafe-inline' 87 { 88 id: "worker_blob_fetch_same_good", 89 base: SAME_BASE, 90 action: "fetch", 91 type: "blob", 92 csp: "default-src 'self' blob: ; connect-src http://example.com", 93 expectBlocked: false 94 }, 95 { 96 id: "worker_blob_xhr_same_good", 97 base: SAME_BASE, 98 action: "xhr", 99 type: "blob", 100 csp: "default-src 'self' blob: ; connect-src http://example.com", 101 expectBlocked: false 102 }, 103 { 104 id: "worker_blob_importScripts_same_good", 105 base: SAME_BASE, 106 action: "importScripts", 107 type: "blob", 108 csp: "default-src 'self' blob: ; connect-src http://example.com", 109 expectBlocked: false 110 }, 111 { 112 id: "worker_blob_fetch_cross_bad", 113 base: CROSS_BASE, 114 action: "fetch", 115 type: "blob", 116 csp: "default-src 'self' blob: ; connect-src http://example.com", 117 expectBlocked: true 118 }, 119 { 120 id: "worker_blob_xhr_cross_bad", 121 base: CROSS_BASE, 122 action: "xhr", 123 type: "blob", 124 csp: "default-src 'self' blob: ; connect-src http://example.com", 125 expectBlocked: true 126 }, 127 { 128 id: "worker_blob_importScripts_cross_bad", 129 base: CROSS_BASE, 130 action: "importScripts", 131 type: "blob", 132 csp: "default-src 'self' blob: ; connect-src http://example.com", 133 expectBlocked: true 134 }, 135 136 // create parent worker from url, child worker from blob, 137 // Parent delivery csp then propagate to child 138 // csp should be: "default-src 'self' blob: ; connect-src 'self' http://example.com", 139 { 140 id: "worker_url_child_blob_fetch_same_good", 141 base: SAME_BASE, 142 action: "fetch", 143 child: "blob", 144 childCsp: "default-src 'none'", 145 type: "url", 146 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com", 147 expectBlocked: false 148 }, 149 { 150 id: "worker_url_child_blob_importScripts_same_good", 151 base: SAME_BASE, 152 action: "importScripts", 153 child: "blob", 154 childCsp: "default-src 'none'", 155 type: "url", 156 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com", 157 expectBlocked: false 158 }, 159 { 160 id: "worker_url_child_blob_xhr_same_good", 161 base: SAME_BASE, 162 child: "blob", 163 childCsp: "default-src 'none'", 164 action: "xhr", 165 type: "url", 166 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com", 167 expectBlocked: false 168 }, 169 { 170 id: "worker_url_child_blob_fetch_cross_good", 171 base: CROSS_BASE, 172 action: "fetch", 173 child: "blob", 174 childCsp: "default-src 'none'", 175 type: "url", 176 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com", 177 expectBlocked: false 178 }, 179 { 180 id: "worker_url_child_blob_importScripts_cross_bad", 181 base: CROSS_BASE, 182 action: "importScripts", 183 child: "blob", 184 childCsp: "default-src 'none'", 185 type: "url", 186 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com", 187 expectBlocked: true 188 }, 189 { 190 id: "worker_url_child_blob_xhr_cross_godd", 191 base: CROSS_BASE, 192 child: "blob", 193 childCsp: "default-src 'none'", 194 action: "xhr", 195 type: "url", 196 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com", 197 expectBlocked: false 198 }, 199 200 201 // create parent worker from blob, child worker from blob, 202 // Csp: document->parent->child 203 // csp should be : default-src 'self' blob: 'unsafe-inline' 204 { 205 id: "worker_blob_child_blob_fetch_same_good", 206 base: SAME_BASE, 207 child: "blob", 208 childCsp: "default-src 'none'", 209 action: "fetch", 210 type: "blob", 211 csp: "default-src 'self' blob:", 212 expectBlocked: false 213 }, 214 { 215 id: "worker_blob_child_blob_xhr_same_good", 216 base: SAME_BASE, 217 child: "blob", 218 childCsp: "default-src 'none'", 219 action: "xhr", 220 type: "blob", 221 csp: "default-src 'self' blob:", 222 expectBlocked: false 223 }, 224 { 225 id: "worker_blob_child_blob_importScripts_same_good", 226 base: SAME_BASE, 227 action: "importScripts", 228 child: "blob", 229 childCsp: "default-src 'none'", 230 type: "blob", 231 csp: "default-src 'self' blob:", 232 expectBlocked: false 233 }, 234 { 235 id: "worker_blob_child_blob_fetch_cross_bad", 236 base: CROSS_BASE, 237 child: "blob", 238 childCsp: "default-src 'none'", 239 action: "fetch", 240 type: "blob", 241 csp: "default-src 'self' blob:", 242 expectBlocked: true 243 }, 244 { 245 id: "worker_blob_child_blob_xhr_cross_bad", 246 base: CROSS_BASE, 247 child: "blob", 248 childCsp: "default-src 'none'", 249 action: "xhr", 250 type: "blob", 251 csp: "default-src 'self' blob:", 252 expectBlocked: true 253 }, 254 { 255 id: "worker_blob_child_blob_importScripts_cross_bad", 256 base: CROSS_BASE, 257 action: "importScripts", 258 child: "blob", 259 childCsp: "default-src 'none'", 260 type: "blob", 261 csp: "default-src 'self' blob:", 262 expectBlocked: true 263 }, 264 265 // create parent worker from url, child worker from url, 266 // child delivery csp from header 267 // csp should be : default-src 'none' 268 { 269 id: "worker_url_child_url_fetch_cross_bad", 270 base: CROSS_BASE, 271 action: "fetch", 272 child: "url", 273 childCsp: "default-src 'none'", 274 type: "url", 275 csp: "default-src 'self' blob:", 276 expectBlocked: true 277 }, 278 { 279 id: "worker_url_child_url_xhr_cross_bad", 280 base: CROSS_BASE, 281 child: "url", 282 childCsp: "default-src 'none'", 283 action: "xhr", 284 type: "url", 285 csp: "default-src 'self' blob:", 286 expectBlocked: true 287 }, 288 { 289 id: "worker_url_child_url_importScripts_cross_bad", 290 base: CROSS_BASE, 291 action: "importScripts", 292 child: "url", 293 childCsp: "default-src 'none'", 294 type: "url", 295 csp: "default-src 'self' blob:", 296 expectBlocked: true 297 }, 298 { 299 id: "worker_url_child_url_fetch_same_bad", 300 base: SAME_BASE, 301 action: "fetch", 302 child: "url", 303 childCsp: "default-src 'none'", 304 type: "url", 305 csp: "default-src 'self' blob:", 306 expectBlocked: true 307 }, 308 { 309 id: "worker_url_child_url_xhr_same_bad", 310 base: SAME_BASE, 311 child: "url", 312 childCsp: "default-src 'none'", 313 action: "xhr", 314 type: "url", 315 csp: "default-src 'self' blob:", 316 expectBlocked: true 317 }, 318 { 319 id: "worker_url_child_url_importScripts_same_bad", 320 base: SAME_BASE, 321 action: "importScripts", 322 child: "url", 323 childCsp: "default-src 'none'", 324 type: "url", 325 csp: "default-src 'self' blob:", 326 expectBlocked: true 327 }, 328 329 // create parent worker from blob, child worker from url, 330 // child delivery csp from header 331 // csp should be : default-src 'none' 332 { 333 id: "worker_blob_child_url_fetch_cross_bad", 334 base: CROSS_BASE, 335 child: "url", 336 childCsp: "default-src 'none'", 337 action: "fetch", 338 type: "blob", 339 csp: "default-src 'self' blob:", 340 expectBlocked: true 341 }, 342 { 343 id: "worker_blob_child_url_xhr_cross_bad", 344 base: CROSS_BASE, 345 child: "url", 346 childCsp: "default-src 'none'", 347 action: "xhr", 348 type: "blob", 349 csp: "default-src 'self' blob:", 350 expectBlocked: true 351 }, 352 { 353 id: "worker_blob_child_url_importScripts_cross_bad", 354 base: CROSS_BASE, 355 action: "importScripts", 356 child: "url", 357 childCsp: "default-src 'none'", 358 type: "blob", 359 csp: "default-src 'self' blob:", 360 expectBlocked: true 361 }, 362 { 363 id: "worker_blob_child_url_fetch_same_bad", 364 base: SAME_BASE, 365 child: "url", 366 childCsp: "default-src 'none'", 367 action: "fetch", 368 type: "blob", 369 csp: "default-src 'self' blob:", 370 expectBlocked: true 371 }, 372 { 373 id: "worker_blob_child_url_xhr_same_bad", 374 base: SAME_BASE, 375 child: "url", 376 childCsp: "default-src 'none'", 377 action: "xhr", 378 type: "blob", 379 csp: "default-src 'self' blob:", 380 expectBlocked: true 381 }, 382 { 383 id: "worker_blob_child_url_importScripts_same_bad", 384 base: SAME_BASE, 385 action: "importScripts", 386 child: "url", 387 childCsp: "default-src 'none'", 388 type: "blob", 389 csp: "default-src 'self' blob:", 390 expectBlocked: true 391 }, 392 393 394 ]; 395 396 async function runWorkerTest(data) { 397 let src = SJS; 398 src += "?base=" + escape(data.base); 399 src += "&action=" + escape(data.action); 400 src += "&csp=" + escape(data.csp); 401 src += "&id=" + escape(data.id); 402 403 if (data.child) { 404 src += "&child=" + escape(data.child); 405 } 406 407 if (data.childCsp) { 408 src += "&childCsp=" + escape(data.childCsp); 409 } 410 411 switch (data.type) { 412 case "url": 413 new Worker(src); 414 break; 415 416 case "blob": 417 new Worker(URL.createObjectURL(await doXHRGetBlob(src))); 418 break; 419 420 default: 421 throw "Unsupport type"; 422 } 423 424 let checkUri = data.base + "?id=" + data.id; 425 await assertCSPBlock(checkUri, data.expectBlocked); 426 runNextTest(); 427 }; 428 429 tests.forEach(function(test) { 430 addAsyncTest(async function() { 431 runWorkerTest(test); 432 }); 433 }); 434 435 runNextTest(); 436 </script> 437 438 </body> 439 </html>