dedicated-worker-import-csp.html (5204B)
1 <!DOCTYPE html> 2 <title>DedicatedWorker: CSP for ES Modules</title> 3 <script src="/resources/testharness.js"></script> 4 <script src="/resources/testharnessreport.js"></script> 5 <script> 6 7 async function openWindow(url) { 8 const win = window.open(url, '_blank'); 9 add_result_callback(() => win.close()); 10 const msg_event = await new Promise(resolve => window.onmessage = resolve); 11 assert_equals(msg_event.data, 'LOADED'); 12 return win; 13 } 14 15 function import_csp_test( 16 cspHeader, importType, expectedImportedModules, description) { 17 // Append CSP header to windowURL for static import tests since static import 18 // scripts should obey Window's CSP. 19 const windowURL = `resources/new-worker-window.html` + 20 `${importType === 'static' 21 ? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')' 22 : ''}`; 23 // Append CSP header to scriptURL for dynamic import tests since dynamic 24 // import scripts should obey Worker script's response's CSP. 25 const scriptURL = `${importType}-import-remote-origin-script-worker.sub.js` + 26 `${importType === 'dynamic' 27 ? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')' 28 : ''}`; 29 promise_test(async () => { 30 const win = await openWindow(windowURL); 31 // Ask the window to start a dedicated worker. 32 win.postMessage(scriptURL, '*'); 33 const msg_event = await new Promise(resolve => window.onmessage = resolve); 34 assert_array_equals(msg_event.data, expectedImportedModules); 35 }, description); 36 } 37 38 // Tests for static import. 39 // 40 // Static import should obey the worker-src directive and the script-src 41 // directive. If the both directives are specified, the worker-src directive 42 // should be prioritized. 43 // 44 // Step 1: "If the result of executing 6.6.1.11 Get the effective directive for 45 // request on request is "worker-src", and policy contains a directive whose 46 // name is "worker-src", return "Allowed"." 47 // "Note: If worker-src is present, we’ll defer to it when handling worker 48 // requests." 49 // https://w3c.github.io/webappsec-csp/#script-src-pre-request 50 51 import_csp_test( 52 "worker-src 'self' 'unsafe-inline'", 53 "static", 54 ['ERROR'], 55 "worker-src 'self' directive should disallow cross origin static import."); 56 57 import_csp_test( 58 "worker-src * 'unsafe-inline'", 59 "static", 60 ["export-on-load-script.js"], 61 "worker-src * directive should allow cross origin static import.") 62 63 import_csp_test( 64 "script-src 'self' 'unsafe-inline'", 65 "static", 66 ['ERROR'], 67 "script-src 'self' directive should disallow cross origin static import."); 68 69 import_csp_test( 70 "script-src * 'unsafe-inline'", 71 "static", 72 ["export-on-load-script.js"], 73 "script-src * directive should allow cross origin static import.") 74 75 import_csp_test( 76 "worker-src *; script-src 'self' 'unsafe-inline'", 77 "static", 78 ["export-on-load-script.js"], 79 "worker-src * directive should override script-src 'self' directive and " + 80 "allow cross origin static import."); 81 82 import_csp_test( 83 "worker-src 'self'; script-src * 'unsafe-inline'", 84 "static", 85 ['ERROR'], 86 "worker-src 'self' directive should override script-src * directive and " + 87 "disallow cross origin static import."); 88 89 // For static imports on workers, the effective directive should be 'worker-src'. 90 // https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request 91 // 92 // The directive fallback list of 'worker-src' doesn't contain 'script-src-elem' 93 // https://w3c.github.io/webappsec-csp/#directive-fallback-list 94 import_csp_test( 95 "script-src-elem 'self' 'unsafe-inline'", 96 "static", 97 ["export-on-load-script.js"], 98 "script-src-elem 'self' directive should not take effect on static import."); 99 100 // Tests for dynamic import. 101 // 102 // Dynamic import should obey the script-src directive instead of the worker-src 103 // directive according to the specs: 104 // 105 // Dynamic import has the "script" destination. 106 // Step 2.4: "Fetch a module script graph given url, ..., "script", ..." 107 // https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability) 108 // 109 // The "script" destination should obey the script-src CSP directive. 110 // Step 2: "If request's destination is script-like:" 111 // https://w3c.github.io/webappsec-csp/#script-src-pre-request 112 113 import_csp_test( 114 "script-src 'self' 'unsafe-inline'", 115 "dynamic", 116 ['ERROR'], 117 "script-src 'self' directive should disallow cross origin dynamic import."); 118 119 // For dynamic imports, the effective directive should be 'script-src-elem'. 120 // https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request 121 import_csp_test( 122 "script-src-elem 'self' 'unsafe-inline'", 123 "dynamic", 124 ['ERROR'], 125 "script-src-elem 'self' directive should disallow cross origin dynamic import."); 126 127 import_csp_test( 128 "script-src * 'unsafe-inline'", 129 "dynamic", 130 ["export-on-load-script.js"], 131 "script-src * directive should allow cross origin dynamic import.") 132 133 import_csp_test( 134 "worker-src 'self' 'unsafe-inline'", 135 "dynamic", 136 ["export-on-load-script.js"], 137 "worker-src 'self' directive should not take effect on dynamic import."); 138 </script>