tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

shared-worker-import-csp.html (4826B)

      1 <!DOCTYPE html>
      2 <title>SharedWorker: CSP for ES Modules</title>
      3 <meta name="timeout" content="long">
      4 <script src="/resources/testharness.js"></script>
      5 <script src="/resources/testharnessreport.js"></script>
      6 <script>
      7 
      8 // This Set is for checking a shared worker in each test is newly created.
      9 const existingWorkers = new Set();
     10 
     11 async function openWindow(url) {
     12  const win = window.open(url, '_blank');
     13  add_result_callback(() => win.close());
     14  const msgEvent = await new Promise(resolve => window.onmessage = resolve);
     15  assert_equals(msgEvent.data, 'LOADED');
     16  return win;
     17 }
     18 
     19 function import_csp_test(
     20    cspHeader, importType, expectedImportedModules, description) {
     21  // Append CSP header to windowURL for static import tests since static import
     22  // scripts should obey Window's CSP.
     23  const windowURL = "resources/new-shared-worker-window.html"
     24  // Append CSP header to scriptURL as scripts should obey SharedWorker
     25  // script's responce's CSP.
     26  const scriptURL = `${importType}-import-remote-origin-script-worker.sub.js` +
     27    `?pipe=header(Content-Security-Policy, ${cspHeader})`;
     28  promise_test(async () => {
     29    // Open a window that has the given CSP header.
     30    const win = await openWindow(windowURL);
     31    // Construct a unique name for SharedWorker.
     32    const name = `${cspHeader}_${importType}`;
     33    const workerProperties = { scriptURL, name };
     34    // Check if this shared worker is newly created.
     35    assert_false(existingWorkers.has(workerProperties));
     36    existingWorkers.add(workerProperties);
     37 
     38    // Ask the window to start a shared worker with the given CSP header.
     39    // The shared worker doesn't inherits the window's CSP header.
     40    // https://w3c.github.io/webappsec-csp/#initialize-global-object-csp
     41    win.postMessage(workerProperties, '*');
     42    const msg_event = await new Promise(resolve => window.onmessage = resolve);
     43    assert_array_equals(msg_event.data, expectedImportedModules);
     44  }, description);
     45 }
     46 
     47 // Tests for static import.
     48 //
     49 // Static import should obey the worker-src directive and the script-src
     50 // directive. If the both directives are specified, the worker-src directive
     51 // should be prioritized.
     52 //
     53 // "The script-src directive acts as a default fallback for all script-like
     54 // destinations (including worker-specific destinations if worker-src is not
     55 // present)."
     56 // https://w3c.github.io/webappsec-csp/#directive-script-src
     57 
     58 import_csp_test(
     59    "worker-src 'self' 'unsafe-inline'", "static",
     60    ['ERROR'],
     61    "worker-src 'self' directive should disallow cross origin static import.");
     62 
     63 import_csp_test(
     64    "worker-src * 'unsafe-inline'", "static",
     65    ["export-on-load-script.js"],
     66    "worker-src * directive should allow cross origin static import.");
     67 
     68 import_csp_test(
     69    "script-src 'self' 'unsafe-inline'", "static",
     70    ['ERROR'],
     71    "script-src 'self' directive should disallow cross origin static import.");
     72 
     73 import_csp_test(
     74    "script-src * 'unsafe-inline'", "static",
     75    ["export-on-load-script.js"],
     76    "script-src * directive should allow cross origin static import.");
     77 
     78 import_csp_test(
     79    "worker-src *; script-src 'self' 'unsafe-inline'", "static",
     80    ["export-on-load-script.js"],
     81    "worker-src * directive should override script-src 'self' directive and " +
     82        "allow cross origin static import.");
     83 
     84 import_csp_test(
     85    "worker-src 'self'; script-src * 'unsafe-inline'", "static",
     86    ['ERROR'],
     87    "worker-src 'self' directive should override script-src * directive and " +
     88        "disallow cross origin static import.");
     89 
     90 // Tests for dynamic import.
     91 //
     92 // Dynamic import should obey SharedWorker script's CSP instead of parent
     93 // Window's CSP.
     94 //
     95 // Dynamic import should obey the script-src directive instead of the worker-src
     96 // directive according to the specs:
     97 //
     98 // Dynamic import has the "script" destination.
     99 // Step 3: "Fetch a single module script graph given url, ..., "script", ..."
    100 // https://html.spec.whatwg.org/multipage/webappapis.html#fetch-an-import()-module-script-graph
    101 //
    102 // The "script" destination should obey the script-src CSP directive.
    103 // "The script-src directive acts as a default fallback for all script-like
    104 // destinations (including worker-specific destinations if worker-src is not
    105 // present)."
    106 // https://w3c.github.io/webappsec-csp/#directive-script-src
    107 
    108 import_csp_test(
    109    "script-src 'self' 'unsafe-inline'", "dynamic",
    110    ['ERROR'],
    111    "script-src 'self' directive should disallow cross origin dynamic import.");
    112 
    113 import_csp_test(
    114    "script-src * 'unsafe-inline'", "dynamic",
    115    ["export-on-load-script.js"],
    116    "script-src * directive should allow cross origin dynamic import.");
    117 
    118 import_csp_test(
    119    "worker-src 'self' 'unsafe-inline'", "dynamic",
    120    ["export-on-load-script.js"],
    121    "worker-src 'self' directive should not take effect on dynamic import.");
    122 
    123 </script>