tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

Service-Worker-Allowed-header.https.html (3216B)

      1 <!DOCTYPE html>
      2 <title>Service Worker: Service-Worker-Allowed header</title>
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script src="/common/get-host-info.sub.js"></script>
      6 <script src="resources/test-helpers.sub.js"></script>
      7 <script>
      8 
      9 const host_info = get_host_info();
     10 
     11 // Returns a URL for a service worker script whose Service-Worker-Allowed
     12 // header value is set to |allowed_path|. If |origin| is specified, that origin
     13 // is used.
     14 function build_script_url(allowed_path, origin) {
     15  const script = 'resources/empty-worker.js';
     16  const url = origin ? `${origin}${base_path()}${script}` : script;
     17  return `${url}?pipe=header(Service-Worker-Allowed,${allowed_path})`;
     18 }
     19 
     20 // register_test is a promise_test that registers a service worker.
     21 function register_test(script, scope, description) {
     22  promise_test(async t => {
     23    t.add_cleanup(() => {
     24      return service_worker_unregister(t, scope);
     25    });
     26 
     27    const registration = await service_worker_unregister_and_register(
     28        t, script, scope);
     29    assert_true(registration instanceof ServiceWorkerRegistration, 'registered');
     30    assert_equals(registration.scope, normalizeURL(scope));
     31  }, description);
     32 }
     33 
     34 // register_fail_test is like register_test but expects a SecurityError.
     35 function register_fail_test(script, scope, description) {
     36  promise_test(async t => {
     37    t.add_cleanup(() => {
     38      return service_worker_unregister(t, scope);
     39    });
     40 
     41    await service_worker_unregister(t, scope);
     42    await promise_rejects_dom(t,
     43                          'SecurityError',
     44                          navigator.serviceWorker.register(script, {scope}));
     45  }, description);
     46 }
     47 
     48 register_test(
     49    build_script_url('/allowed-path'),
     50    '/allowed-path',
     51    'Registering within Service-Worker-Allowed path');
     52 
     53 register_test(
     54    build_script_url(new URL('/allowed-path', document.location)),
     55    '/allowed-path',
     56    'Registering within Service-Worker-Allowed path (absolute URL)');
     57 
     58 register_test(
     59    build_script_url('../allowed-path-with-parent'),
     60    'allowed-path-with-parent',
     61    'Registering within Service-Worker-Allowed path with parent reference');
     62 
     63 register_fail_test(
     64    build_script_url('../allowed-path'),
     65    '/disallowed-path',
     66    'Registering outside Service-Worker-Allowed path'),
     67 
     68 register_fail_test(
     69    build_script_url('../allowed-path-with-parent'),
     70    '/allowed-path-with-parent',
     71    'Registering outside Service-Worker-Allowed path with parent reference');
     72 
     73 register_fail_test(
     74    build_script_url(host_info.HTTPS_REMOTE_ORIGIN + '/'),
     75    'resources/this-scope-is-normally-allowed',
     76    'Service-Worker-Allowed is cross-origin to script, registering on a normally allowed scope');
     77 
     78 register_fail_test(
     79    build_script_url(host_info.HTTPS_REMOTE_ORIGIN + '/'),
     80    '/this-scope-is-normally-disallowed',
     81    'Service-Worker-Allowed is cross-origin to script, registering on a normally disallowed scope');
     82 
     83 register_fail_test(
     84    build_script_url(host_info.HTTPS_REMOTE_ORIGIN + '/cross-origin/',
     85                     host_info.HTTPS_REMOTE_ORIGIN),
     86    '/cross-origin/',
     87    'Service-Worker-Allowed is cross-origin to page, same-origin to script');
     88 </script>