sandboxed-iframe-fetch-event.https.html (19015B)
1 <!DOCTYPE html> 2 <title>ServiceWorker FetchEvent for sandboxed iframe.</title> 3 <meta name="timeout" content="long"> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="resources/test-helpers.sub.js"></script> 7 <body> 8 <script> 9 var lastCallbackId = 0; 10 var callbacks = {}; 11 function doTest(frame, type) { 12 return new Promise(function(resolve) { 13 var id = ++lastCallbackId; 14 callbacks[id] = resolve; 15 frame.contentWindow.postMessage({id: id, type: type}, '*'); 16 }); 17 } 18 19 // Asks the service worker for data about requests and clients seen. The 20 // worker posts a message back with |data| where: 21 // |data.requests|: the requests the worker received FetchEvents for 22 // |data.clients|: the URLs of all the worker's clients 23 // The worker clears its data after responding. 24 function getResultsFromWorker(worker) { 25 return new Promise(resolve => { 26 let channel = new MessageChannel(); 27 channel.port1.onmessage = msg => { 28 resolve(msg.data); 29 }; 30 worker.postMessage({port: channel.port2}, [channel.port2]); 31 }); 32 } 33 34 window.onmessage = function (e) { 35 message = e.data; 36 var id = message['id']; 37 var callback = callbacks[id]; 38 delete callbacks[id]; 39 callback(message['result']); 40 }; 41 42 const SCOPE = 'resources/sandboxed-iframe-fetch-event-iframe.py'; 43 const SCRIPT = 'resources/sandboxed-iframe-fetch-event-worker.js'; 44 const expected_base_url = new URL(SCOPE, location.href); 45 // Service worker controlling |SCOPE|. 46 let worker; 47 // A normal iframe. 48 // This should be controlled by a service worker. 49 let normal_frame; 50 // An iframe created by <iframe sandbox='allow-scripts'>. 51 // This should NOT be controlled by a service worker. 52 let sandboxed_frame; 53 // An iframe created by <iframe sandbox='allow-scripts allow-same-origin'>. 54 // This should be controlled by a service worker. 55 let sandboxed_same_origin_frame; 56 // An iframe whose response header has 57 // 'Content-Security-Policy: allow-scripts'. 58 // This should NOT be controlled by a service worker. 59 let sandboxed_frame_by_header; 60 // An iframe whose response header has 61 // 'Content-Security-Policy: allow-scripts allow-same-origin'. 62 // This should be controlled by a service worker. 63 let sandboxed_same_origin_frame_by_header; 64 65 promise_test(t => { 66 return service_worker_unregister_and_register(t, SCRIPT, SCOPE) 67 .then(function(registration) { 68 add_completion_callback(() => registration.unregister()); 69 worker = registration.installing; 70 return wait_for_state(t, registration.installing, 'activated'); 71 }); 72 }, 'Prepare a service worker.'); 73 74 promise_test(t => { 75 return with_iframe(SCOPE + '?iframe') 76 .then(f => { 77 normal_frame = f; 78 add_completion_callback(() => f.remove()); 79 return getResultsFromWorker(worker); 80 }) 81 .then(data => { 82 let requests = data.requests; 83 assert_equals(requests.length, 1); 84 assert_equals(requests[0], expected_base_url + '?iframe'); 85 assert_true(data.clients.includes(expected_base_url + '?iframe')); 86 }); 87 }, 'Prepare a normal iframe.'); 88 89 promise_test(t => { 90 return with_sandboxed_iframe(SCOPE + '?sandboxed-iframe', 'allow-scripts') 91 .then(f => { 92 sandboxed_frame = f; 93 add_completion_callback(() => f.remove()); 94 return getResultsFromWorker(worker); 95 }) 96 .then(data => { 97 assert_equals(data.requests.length, 0); 98 assert_false(data.clients.includes(expected_base_url + 99 '?sandboxed-iframe')); 100 }); 101 }, 'Prepare an iframe sandboxed by <iframe sandbox="allow-scripts">.'); 102 103 promise_test(t => { 104 return with_sandboxed_iframe(SCOPE + '?sandboxed-iframe-same-origin', 105 'allow-scripts allow-same-origin') 106 .then(f => { 107 sandboxed_same_origin_frame = f; 108 add_completion_callback(() => f.remove()); 109 return getResultsFromWorker(worker); 110 }) 111 .then(data => { 112 let requests = data.requests; 113 assert_equals(requests.length, 1); 114 assert_equals(requests[0], 115 expected_base_url + '?sandboxed-iframe-same-origin'); 116 assert_true(data.clients.includes( 117 expected_base_url + '?sandboxed-iframe-same-origin')); 118 }) 119 }, 'Prepare an iframe sandboxed by ' + 120 '<iframe sandbox="allow-scripts allow-same-origin">.'); 121 122 promise_test(t => { 123 const iframe_full_url = expected_base_url + '?sandbox=allow-scripts&' + 124 'sandboxed-frame-by-header'; 125 return with_iframe(iframe_full_url) 126 .then(f => { 127 sandboxed_frame_by_header = f; 128 add_completion_callback(() => f.remove()); 129 return getResultsFromWorker(worker); 130 }) 131 .then(data => { 132 let requests = data.requests; 133 assert_equals(requests.length, 1, 134 'Service worker should provide the response'); 135 assert_equals(requests[0], iframe_full_url); 136 assert_false(data.clients.includes(iframe_full_url), 137 'Service worker should NOT control the sandboxed page'); 138 }); 139 }, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts.'); 140 141 promise_test(t => { 142 const iframe_full_url = 143 expected_base_url + '?sandbox=allow-scripts%20allow-same-origin&' + 144 'sandboxed-iframe-same-origin-by-header'; 145 return with_iframe(iframe_full_url) 146 .then(f => { 147 sandboxed_same_origin_frame_by_header = f; 148 add_completion_callback(() => f.remove()); 149 return getResultsFromWorker(worker); 150 }) 151 .then(data => { 152 let requests = data.requests; 153 assert_equals(requests.length, 1); 154 assert_equals(requests[0], iframe_full_url); 155 assert_true(data.clients.includes(iframe_full_url)); 156 }) 157 }, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts and ' + 158 'allow-same-origin.'); 159 160 promise_test(t => { 161 let frame = normal_frame; 162 return doTest(frame, 'fetch') 163 .then(result => { 164 assert_equals(result, 'done'); 165 return getResultsFromWorker(worker); 166 }) 167 .then(data => { 168 let requests = data.requests; 169 assert_equals(requests.length, 1, 170 'The fetch request should be handled by SW.'); 171 assert_equals(requests[0], frame.src + '&test=fetch'); 172 }); 173 }, 'Fetch request from a normal iframe'); 174 175 promise_test(t => { 176 let frame = normal_frame; 177 return doTest(frame, 'fetch-from-worker') 178 .then(result => { 179 assert_equals(result, 'done'); 180 return getResultsFromWorker(worker); 181 }) 182 .then(data => { 183 let requests = data.requests; 184 assert_equals(requests.length, 1, 185 'The fetch request should be handled by SW.'); 186 assert_equals(requests[0], frame.src + '&test=fetch-from-worker'); 187 }); 188 }, 'Fetch request from a worker in a normal iframe'); 189 190 promise_test(t => { 191 let frame = normal_frame; 192 return doTest(frame, 'iframe') 193 .then(result => { 194 assert_equals(result, 'done'); 195 return getResultsFromWorker(worker); 196 }) 197 .then(data => { 198 let requests = data.requests; 199 assert_equals(requests.length, 1, 200 'The request should be handled by SW.'); 201 assert_equals(requests[0], frame.src + '&test=iframe'); 202 assert_true(data.clients.includes(frame.src + '&test=iframe')); 203 204 }); 205 }, 'Request for an iframe in the normal iframe'); 206 207 promise_test(t => { 208 let frame = normal_frame; 209 return doTest(frame, 'sandboxed-iframe') 210 .then(result => { 211 assert_equals(result, 'done'); 212 return getResultsFromWorker(worker); 213 }) 214 .then(data => { 215 assert_equals(data.requests.length, 0, 216 'The request should NOT be handled by SW.'); 217 assert_false(data.clients.includes( 218 frame.src + '&test=sandboxed-iframe')); 219 }); 220 }, 'Request for an sandboxed iframe with allow-scripts flag in the normal ' + 221 'iframe'); 222 223 promise_test(t => { 224 let frame = normal_frame; 225 return doTest(frame, 'sandboxed-iframe-same-origin') 226 .then(result => { 227 assert_equals(result, 'done'); 228 return getResultsFromWorker(worker); 229 }) 230 .then(data => { 231 let requests = data.requests; 232 assert_equals(requests.length, 1, 233 'The request should be handled by SW.'); 234 assert_equals(requests[0], 235 frame.src + '&test=sandboxed-iframe-same-origin'); 236 assert_true(data.clients.includes( 237 frame.src + '&test=sandboxed-iframe-same-origin')); 238 }); 239 }, 'Request for an sandboxed iframe with allow-scripts and ' + 240 'allow-same-origin flag in the normal iframe'); 241 242 promise_test(t => { 243 let frame = sandboxed_frame; 244 return doTest(frame, 'fetch') 245 .then(result => { 246 assert_equals(result, 'done'); 247 return getResultsFromWorker(worker); 248 }) 249 .then(data => { 250 assert_equals(data.requests.length, 0, 251 'The fetch request should NOT be handled by SW.'); 252 }); 253 }, 'Fetch request from iframe sandboxed by an attribute with allow-scripts ' + 254 'flag'); 255 256 promise_test(t => { 257 let frame = sandboxed_frame; 258 return doTest(frame, 'fetch-from-worker') 259 .then(result => { 260 assert_equals(result, 'done'); 261 return getResultsFromWorker(worker); 262 }) 263 .then(data => { 264 assert_equals(data.requests.length, 0, 265 'The fetch request should NOT be handled by SW.'); 266 }); 267 }, 'Fetch request from a worker in iframe sandboxed by an attribute with ' + 268 'allow-scripts flag'); 269 270 promise_test(t => { 271 let frame = sandboxed_frame; 272 return doTest(frame, 'iframe') 273 .then(result => { 274 assert_equals(result, 'done'); 275 return getResultsFromWorker(worker); 276 }) 277 .then(data => { 278 assert_equals(data.requests.length, 0, 279 'The request should NOT be handled by SW.'); 280 assert_false(data.clients.includes(frame.src + '&test=iframe')); 281 }); 282 }, 'Request for an iframe in the iframe sandboxed by an attribute with ' + 283 'allow-scripts flag'); 284 285 promise_test(t => { 286 let frame = sandboxed_frame; 287 return doTest(frame, 'sandboxed-iframe') 288 .then(result => { 289 assert_equals(result, 'done'); 290 return getResultsFromWorker(worker); 291 }) 292 .then(data => { 293 assert_equals(data.requests.length, 0, 294 'The request should NOT be handled by SW.'); 295 assert_false(data.clients.includes( 296 frame.src + '&test=sandboxed-iframe')); 297 }); 298 }, 'Request for an sandboxed iframe with allow-scripts flag in the iframe ' + 299 'sandboxed by an attribute with allow-scripts flag'); 300 301 promise_test(t => { 302 let frame = sandboxed_frame; 303 return doTest(frame, 'sandboxed-iframe-same-origin') 304 .then(result => { 305 assert_equals(result, 'done'); 306 return getResultsFromWorker(worker); 307 }) 308 .then(data => { 309 assert_equals(data.requests.length, 0, 310 'The request should NOT be handled by SW.'); 311 assert_false(data.clients.includes( 312 frame.src + '&test=sandboxed-iframe-same-origin')); 313 }); 314 }, 'Request for an sandboxed iframe with allow-scripts and ' + 315 'allow-same-origin flag in the iframe sandboxed by an attribute with ' + 316 'allow-scripts flag'); 317 318 promise_test(t => { 319 let frame = sandboxed_same_origin_frame; 320 return doTest(frame, 'fetch') 321 .then(result => { 322 assert_equals(result, 'done'); 323 return getResultsFromWorker(worker); 324 }) 325 .then(data => { 326 let requests = data.requests; 327 assert_equals(requests.length, 1, 328 'The fetch request should be handled by SW.'); 329 assert_equals(requests[0], frame.src + '&test=fetch'); 330 }); 331 }, 'Fetch request from iframe sandboxed by an attribute with allow-scripts ' + 332 'and allow-same-origin flag'); 333 334 promise_test(t => { 335 let frame = sandboxed_same_origin_frame; 336 return doTest(frame, 'fetch-from-worker') 337 .then(result => { 338 assert_equals(result, 'done'); 339 return getResultsFromWorker(worker); 340 }) 341 .then(data => { 342 let requests = data.requests; 343 assert_equals(requests.length, 1, 344 'The fetch request should be handled by SW.'); 345 assert_equals(requests[0], 346 frame.src + '&test=fetch-from-worker'); 347 }); 348 }, 'Fetch request from a worker in iframe sandboxed by an attribute with ' + 349 'allow-scripts and allow-same-origin flag'); 350 351 promise_test(t => { 352 let frame = sandboxed_same_origin_frame; 353 return doTest(frame, 'iframe') 354 .then(result => { 355 assert_equals(result, 'done'); 356 return getResultsFromWorker(worker); 357 }) 358 .then(data => { 359 let requests = data.requests; 360 assert_equals(requests.length, 1, 361 'The request should be handled by SW.'); 362 assert_equals(requests[0], frame.src + '&test=iframe'); 363 assert_true(data.clients.includes(frame.src + '&test=iframe')); 364 }); 365 }, 'Request for an iframe in the iframe sandboxed by an attribute with ' + 366 'allow-scripts and allow-same-origin flag'); 367 368 promise_test(t => { 369 let frame = sandboxed_same_origin_frame; 370 return doTest(frame, 'sandboxed-iframe') 371 .then(result => { 372 assert_equals(result, 'done'); 373 return getResultsFromWorker(worker); 374 }) 375 .then(data => { 376 assert_equals(data.requests.length, 0, 377 'The request should NOT be handled by SW.'); 378 assert_false(data.clients.includes( 379 frame.src + '&test=sandboxed-iframe')); 380 }); 381 }, 'Request for an sandboxed iframe with allow-scripts flag in the iframe ' + 382 'sandboxed by attribute with allow-scripts and allow-same-origin flag'); 383 384 promise_test(t => { 385 let frame = sandboxed_same_origin_frame; 386 return doTest(frame, 'sandboxed-iframe-same-origin') 387 .then(result => { 388 assert_equals(result, 'done'); 389 return getResultsFromWorker(worker); 390 }) 391 .then(data => { 392 let requests = data.requests; 393 assert_equals(requests.length, 1, 394 'The request should be handled by SW.'); 395 assert_equals(requests[0], 396 frame.src + '&test=sandboxed-iframe-same-origin'); 397 assert_true(data.clients.includes( 398 frame.src + '&test=sandboxed-iframe-same-origin')); 399 }); 400 }, 'Request for an sandboxed iframe with allow-scripts and ' + 401 'allow-same-origin flag in the iframe sandboxed by attribute with ' + 402 'allow-scripts and allow-same-origin flag'); 403 404 promise_test(t => { 405 let frame = sandboxed_frame_by_header; 406 return doTest(frame, 'fetch') 407 .then(result => { 408 assert_equals(result, 'done'); 409 return getResultsFromWorker(worker); 410 }) 411 .then(data => { 412 assert_equals(data.requests.length, 0, 413 'The request should NOT be handled by SW.'); 414 }); 415 }, 'Fetch request from iframe sandboxed by CSP HTTP header with ' + 416 'allow-scripts flag'); 417 418 promise_test(t => { 419 let frame = sandboxed_frame_by_header; 420 return doTest(frame, 'iframe') 421 .then(result => { 422 assert_equals(result, 'done'); 423 return getResultsFromWorker(worker); 424 }) 425 .then(data => { 426 assert_equals(data.requests.length, 0, 427 'The request should NOT be handled by SW.'); 428 assert_false(data.clients.includes(frame.src + '&test=iframe')); 429 }); 430 }, 'Request for an iframe in the iframe sandboxed by CSP HTTP header with ' + 431 'allow-scripts flag'); 432 433 promise_test(t => { 434 let frame = sandboxed_frame_by_header; 435 return doTest(frame, 'sandboxed-iframe') 436 .then(result => { 437 assert_equals(result, 'done'); 438 return getResultsFromWorker(worker); 439 }) 440 .then(data => { 441 assert_equals(data.requests.length, 0, 442 'The request should NOT be handled by SW.'); 443 assert_false(data.clients.includes( 444 frame.src + '&test=sandboxed-iframe')); 445 }); 446 }, 'Request for an sandboxed iframe with allow-scripts flag in the iframe ' + 447 'sandboxed by CSP HTTP header with allow-scripts flag'); 448 449 promise_test(t => { 450 let frame = sandboxed_frame_by_header; 451 return doTest(frame, 'sandboxed-iframe-same-origin') 452 .then(result => { 453 assert_equals(result, 'done'); 454 return getResultsFromWorker(worker); 455 }) 456 .then(data => { 457 assert_equals(data.requests.length, 0, 458 'The request should NOT be handled by SW.'); 459 assert_false(data.clients.includes( 460 frame.src + '&test=sandboxed-iframe-same-origin')); 461 }); 462 }, 'Request for an sandboxed iframe with allow-scripts and ' + 463 'allow-same-origin flag in the iframe sandboxed by CSP HTTP header with ' + 464 'allow-scripts flag'); 465 466 promise_test(t => { 467 let frame = sandboxed_same_origin_frame_by_header; 468 return doTest(frame, 'fetch') 469 .then(result => { 470 assert_equals(result, 'done'); 471 return getResultsFromWorker(worker); 472 }) 473 .then(data => { 474 let requests = data.requests; 475 assert_equals(requests.length, 1, 476 'The request should be handled by SW.'); 477 assert_equals(requests[0], frame.src + '&test=fetch'); 478 }); 479 }, 'Fetch request from iframe sandboxed by CSP HTTP header with ' + 480 'allow-scripts and allow-same-origin flag'); 481 482 promise_test(t => { 483 let frame = sandboxed_same_origin_frame_by_header; 484 return doTest(frame, 'iframe') 485 .then(result => { 486 assert_equals(result, 'done'); 487 return getResultsFromWorker(worker); 488 }) 489 .then(data => { 490 let requests = data.requests; 491 assert_equals(requests.length, 1, 492 'The request should be handled by SW.'); 493 assert_equals(requests[0], frame.src + '&test=iframe'); 494 assert_true(data.clients.includes(frame.src + '&test=iframe')); 495 }); 496 }, 'Request for an iframe in the iframe sandboxed by CSP HTTP header with ' + 497 'allow-scripts and allow-same-origin flag'); 498 499 promise_test(t => { 500 let frame = sandboxed_same_origin_frame_by_header; 501 return doTest(frame, 'sandboxed-iframe') 502 .then(result => { 503 assert_equals(result, 'done'); 504 return getResultsFromWorker(worker); 505 }) 506 .then(data => { 507 assert_equals(data.requests.length, 0, 508 'The request should NOT be handled by SW.'); 509 assert_false( 510 data.clients.includes(frame.src + '&test=sandboxed-iframe')); 511 }); 512 }, 'Request for an sandboxed iframe with allow-scripts flag in the ' + 513 'iframe sandboxed by CSP HTTP header with allow-scripts and ' + 514 'allow-same-origin flag'); 515 516 promise_test(t => { 517 let frame = sandboxed_same_origin_frame_by_header; 518 return doTest(frame, 'sandboxed-iframe-same-origin') 519 .then(result => { 520 assert_equals(result, 'done'); 521 return getResultsFromWorker(worker); 522 }) 523 .then(data => { 524 let requests = data.requests; 525 assert_equals(requests.length, 1, 526 'The request should be handled by SW.'); 527 assert_equals(requests[0], 528 frame.src + '&test=sandboxed-iframe-same-origin'); 529 assert_true(data.clients.includes( 530 frame.src + '&test=sandboxed-iframe-same-origin')); 531 }); 532 }, 'Request for an sandboxed iframe with allow-scripts and ' + 533 'allow-same-origin flag in the iframe sandboxed by CSP HTTP header with ' + 534 'allow-scripts and allow-same-origin flag'); 535 </script> 536 </body>