[ tor-browser ].git.dasho

dedicated-worker-import-csp.html (4189B)
      1 <!DOCTYPE html>
      2 <title>DedicatedWorker: CSP for ES Modules</title>
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script>
      6 
      7 async function openWindow(url) {
      8  const win = window.open(url, '_blank');
      9  add_result_callback(() => win.close());
     10  const msg_event = await new Promise(resolve => window.onmessage = resolve);
     11  assert_equals(msg_event.data, 'LOADED');
     12  return win;
     13 }
     14 
     15 function import_csp_test(
     16    cspHeader, importType, expectedImportedModules, description) {
     17  // Append CSP header to windowURL for static import tests since static import
     18  // scripts should obey Window's CSP.
     19  const windowURL = `resources/new-worker-window.html`;
     20  // Append CSP header to scriptURL for dynamic import tests since dynamic
     21  // import scripts should obey Worker script's response's CSP.
     22  const scriptURL = `${importType}-import-remote-origin-script-worker.sub.js` +
     23    `?pipe=header(Content-Security-Policy, ${cspHeader})`;
     24  promise_test(async () => {
     25    const win = await openWindow(windowURL);
     26    // Ask the window to start a dedicated worker.
     27    win.postMessage(scriptURL, '*');
     28    const msg_event = await new Promise(resolve => window.onmessage = resolve);
     29    assert_array_equals(msg_event.data, expectedImportedModules);
     30  }, description);
     31 }
     32 
     33 // Tests for static import.
     34 //
     35 // Static import should obey the worker-src directive and the script-src
     36 // directive. If the both directives are specified, the worker-src directive
     37 // should be prioritized.
     38 //
     39 // Step 1: "If the result of executing 6.6.1.11 Get the effective directive for
     40 // request on request is "worker-src", and policy contains a directive whose
     41 // name is "worker-src", return "Allowed"."
     42 // "Note: If worker-src is present, we’ll defer to it when handling worker
     43 // requests."
     44 // https://w3c.github.io/webappsec-csp/#script-src-pre-request
     45 
     46 import_csp_test(
     47    "worker-src 'self' 'unsafe-inline'",
     48    "static",
     49    ['ERROR'],
     50    "worker-src 'self' directive should disallow cross origin static import.");
     51 
     52 import_csp_test(
     53    "worker-src * 'unsafe-inline'",
     54    "static",
     55    ["export-on-load-script.js"],
     56    "worker-src * directive should allow cross origin static import.")
     57 
     58 import_csp_test(
     59    "script-src 'self' 'unsafe-inline'",
     60    "static",
     61    ['ERROR'],
     62    "script-src 'self' directive should disallow cross origin static import.");
     63 
     64 import_csp_test(
     65    "script-src * 'unsafe-inline'",
     66    "static",
     67    ["export-on-load-script.js"],
     68    "script-src * directive should allow cross origin static import.")
     69 
     70 import_csp_test(
     71    "worker-src *; script-src 'self' 'unsafe-inline'",
     72    "static",
     73    ["export-on-load-script.js"],
     74    "worker-src * directive should override script-src 'self' directive and " +
     75        "allow cross origin static import.");
     76 
     77 import_csp_test(
     78    "worker-src 'self'; script-src * 'unsafe-inline'",
     79    "static",
     80    ['ERROR'],
     81    "worker-src 'self' directive should override script-src * directive and " +
     82        "disallow cross origin static import.");
     83 
     84 // Tests for dynamic import.
     85 //
     86 // Dynamic import should obey the script-src directive instead of the worker-src
     87 // directive according to the specs:
     88 //
     89 // Dynamic import has the "script" destination.
     90 // Step 2.4: "Fetch a module script graph given url, ..., "script", ..."
     91 // https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability)
     92 //
     93 // The "script" destination should obey the script-src CSP directive.
     94 // Step 2: "If request's destination is script-like:"
     95 // https://w3c.github.io/webappsec-csp/#script-src-pre-request
     96 
     97 import_csp_test(
     98    "script-src 'self' 'unsafe-inline'",
     99    "dynamic",
    100    ['ERROR'],
    101    "script-src 'self' directive should disallow cross origin dynamic import.");
    102 
    103 import_csp_test(
    104    "script-src * 'unsafe-inline'",
    105    "dynamic",
    106    ["export-on-load-script.js"],
    107    "script-src * directive should allow cross origin dynamic import.")
    108 
    109 import_csp_test(
    110    "worker-src 'self' 'unsafe-inline'",
    111    "dynamic",
    112    ["export-on-load-script.js"],
    113    "worker-src 'self' directive should not take effect on dynamic import.");
    114 
    115 </script>
	tor-browser The Tor Browser
	git clone https://git.dasho.dev/tor-browser.git
	Log \| Files \| Refs \| README \| LICENSE