fetch-csp.https.html (5748B)
1 <!DOCTYPE html> 2 <title>Service Worker: CSP control of fetch()</title> 3 <script src="/resources/testharness.js"></script> 4 <script src="/resources/testharnessreport.js"></script> 5 <script src="/common/get-host-info.sub.js"></script> 6 <script src="resources/test-helpers.sub.js?pipe=sub"></script> 7 <script> 8 9 function assert_resolves(promise, description) { 10 return promise.catch(function(reason) { 11 throw new Error(description + ' - ' + reason.message); 12 }); 13 } 14 15 function assert_rejects(promise, description) { 16 return promise.then( 17 function() { throw new Error(description); }, 18 function() {}); 19 } 20 21 promise_test(function(t) { 22 var SCOPE = 'resources/fetch-csp-iframe.html'; 23 var SCRIPT = 'resources/fetch-rewrite-worker.js'; 24 var host_info = get_host_info(); 25 var IMAGE_PATH = 26 base_path() + 'resources/fetch-access-control.py?PNGIMAGE'; 27 var IMAGE_URL = host_info['HTTPS_ORIGIN'] + IMAGE_PATH; 28 var REMOTE_IMAGE_URL = host_info['HTTPS_REMOTE_ORIGIN'] + IMAGE_PATH; 29 var REDIRECT_URL = 30 host_info['HTTPS_ORIGIN'] + base_path() + 'resources/redirect.py'; 31 var frame; 32 33 return service_worker_unregister_and_register(t, SCRIPT, SCOPE) 34 .then(function(registration) { 35 t.add_cleanup(function() { 36 return service_worker_unregister(t, SCOPE); 37 }); 38 39 return wait_for_state(t, registration.installing, 'activated'); 40 }) 41 .then(function() { 42 return with_iframe( 43 SCOPE + '?' + 44 encodeURIComponent('img-src ' + host_info['HTTPS_ORIGIN'] + 45 '; script-src \'unsafe-inline\'')); 46 }) 47 .then(function(f) { 48 frame = f; 49 return assert_resolves( 50 frame.contentWindow.load_image(IMAGE_URL), 51 'Allowed scope image resource should be loaded.'); 52 }) 53 .then(function() { 54 return assert_rejects( 55 frame.contentWindow.load_image(REMOTE_IMAGE_URL), 56 'Disallowed scope image resource should not be loaded.'); 57 }) 58 .then(function() { 59 return assert_resolves( 60 frame.contentWindow.load_image( 61 // The request for IMAGE_URL will be fetched in SW. 62 './sample?url=' + encodeURIComponent(IMAGE_URL)), 63 'Allowed scope image resource which was fetched via SW should ' + 64 'be loaded.'); 65 }) 66 .then(function() { 67 return assert_rejects( 68 frame.contentWindow.load_image( 69 // The request for REMOTE_IMAGE_URL will be fetched in SW. 70 './sample?mode=no-cors&url=' + 71 encodeURIComponent(REMOTE_IMAGE_URL)), 72 'Disallowed scope image resource which was fetched via SW ' + 73 'should not be loaded.'); 74 }) 75 .then(function() { 76 frame.remove(); 77 return with_iframe( 78 SCOPE + '?' + 79 encodeURIComponent( 80 'img-src ' + REDIRECT_URL + 81 '; script-src \'unsafe-inline\'')); 82 }) 83 .then(function(f) { 84 frame = f; 85 return assert_resolves( 86 frame.contentWindow.load_image( 87 // Set 'ignore' not to call respondWith() in the SW. 88 REDIRECT_URL + '?ignore&Redirect=' + 89 encodeURIComponent(IMAGE_URL)), 90 'When the request was redirected, CSP match algorithm should ' + 91 'ignore the path component of the URL.'); 92 }) 93 .then(function() { 94 return assert_resolves( 95 frame.contentWindow.load_image( 96 // This request will be fetched via SW and redirected by 97 // redirect.php. 98 REDIRECT_URL + '?Redirect=' + encodeURIComponent(IMAGE_URL)), 99 'When the request was redirected via SW, CSP match algorithm ' + 100 'should ignore the path component of the URL.'); 101 }) 102 .then(function() { 103 return assert_resolves( 104 frame.contentWindow.load_image( 105 // The request for IMAGE_URL will be fetched in SW. 106 REDIRECT_URL + '?url=' + encodeURIComponent(IMAGE_URL)), 107 'When the request was fetched via SW, CSP match algorithm ' + 108 'should ignore the path component of the URL.'); 109 }) 110 .then(function() { 111 return assert_resolves( 112 frame.contentWindow.fetch(IMAGE_URL + "&fetch1", { mode: 'no-cors'}), 113 'Allowed scope fetch resource should be loaded.'); 114 }) 115 .then(function() { 116 return assert_resolves( 117 frame.contentWindow.fetch( 118 // The request for IMAGE_URL will be fetched in SW. 119 './sample?url=' + encodeURIComponent(IMAGE_URL + '&fetch2'), { mode: 'no-cors'}), 120 'Allowed scope fetch resource which was fetched via SW should be loaded.'); 121 }) 122 .then(function() { 123 return assert_rejects( 124 frame.contentWindow.fetch(REMOTE_IMAGE_URL + "&fetch3", { mode: 'no-cors'}), 125 'Disallowed scope fetch resource should not be loaded.'); 126 }) 127 .then(function() { 128 return assert_rejects( 129 frame.contentWindow.fetch( 130 // The request for REMOTE_IMAGE_URL will be fetched in SW. 131 './sample?url=' + encodeURIComponent(REMOTE_IMAGE_URL + '&fetch4'), { mode: 'no-cors'}), 132 'Disallowed scope fetch resource which was fetched via SW should not be loaded.'); 133 }) 134 .then(function() { 135 frame.remove(); 136 }); 137 }, 'Verify CSP control of fetch() in a Service Worker'); 138 </script>