shared-worker-import-csp.html (5057B)
1 <!DOCTYPE html> 2 <title>SharedWorker: CSP for ES Modules</title> 3 <meta name="timeout" content="long"> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script> 7 8 // This Set is for checking a shared worker in each test is newly created. 9 const existingWorkers = new Set(); 10 11 async function openWindow(url) { 12 const win = window.open(url, '_blank'); 13 add_result_callback(() => win.close()); 14 const msgEvent = await new Promise(resolve => window.onmessage = resolve); 15 assert_equals(msgEvent.data, 'LOADED'); 16 return win; 17 } 18 19 function import_csp_test( 20 cspHeader, importType, expectedImportedModules, description) { 21 // Append CSP header to windowURL for static import tests since static import 22 // scripts should obey Window's CSP. 23 const windowURL = `resources/new-shared-worker-window.html` + 24 `${importType === 'static' 25 ? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')' 26 : ''}`; 27 // Append CSP header to scriptURL for dynamic import tests since dynamic 28 // import scripts should obey SharedWorker script's responce's CSP. 29 const scriptURL = `${importType}-import-remote-origin-script-worker.sub.js` + 30 `${importType === 'dynamic' 31 ? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')' 32 : ''}`; 33 promise_test(async () => { 34 // Open a window that has the given CSP header. 35 const win = await openWindow(windowURL); 36 // Construct a unique name for SharedWorker. 37 const name = `${cspHeader}_${importType}`; 38 const workerProperties = { scriptURL, name }; 39 // Check if this shared worker is newly created. 40 assert_false(existingWorkers.has(workerProperties)); 41 existingWorkers.add(workerProperties); 42 43 // Ask the window to start a shared worker with the given CSP header. 44 // The shared worker doesn't inherits the window's CSP header. 45 // https://w3c.github.io/webappsec-csp/#initialize-global-object-csp 46 win.postMessage(workerProperties, '*'); 47 const msg_event = await new Promise(resolve => window.onmessage = resolve); 48 assert_array_equals(msg_event.data, expectedImportedModules); 49 }, description); 50 } 51 52 // Tests for static import. 53 // 54 // Static import should obey the worker-src directive and the script-src 55 // directive. If the both directives are specified, the worker-src directive 56 // should be prioritized. 57 // 58 // "The script-src directive acts as a default fallback for all script-like 59 // destinations (including worker-specific destinations if worker-src is not 60 // present)." 61 // https://w3c.github.io/webappsec-csp/#directive-script-src 62 63 import_csp_test( 64 "worker-src 'self' 'unsafe-inline'", "static", 65 ['ERROR'], 66 "worker-src 'self' directive should disallow cross origin static import."); 67 68 import_csp_test( 69 "worker-src * 'unsafe-inline'", "static", 70 ["export-on-load-script.js"], 71 "worker-src * directive should allow cross origin static import."); 72 73 import_csp_test( 74 "script-src 'self' 'unsafe-inline'", "static", 75 ['ERROR'], 76 "script-src 'self' directive should disallow cross origin static import."); 77 78 import_csp_test( 79 "script-src * 'unsafe-inline'", "static", 80 ["export-on-load-script.js"], 81 "script-src * directive should allow cross origin static import."); 82 83 import_csp_test( 84 "worker-src *; script-src 'self' 'unsafe-inline'", "static", 85 ["export-on-load-script.js"], 86 "worker-src * directive should override script-src 'self' directive and " + 87 "allow cross origin static import."); 88 89 import_csp_test( 90 "worker-src 'self'; script-src * 'unsafe-inline'", "static", 91 ['ERROR'], 92 "worker-src 'self' directive should override script-src * directive and " + 93 "disallow cross origin static import."); 94 95 // Tests for dynamic import. 96 // 97 // Dynamic import should obey SharedWorker script's CSP instead of parent 98 // Window's CSP. 99 // 100 // Dynamic import should obey the script-src directive instead of the worker-src 101 // directive according to the specs: 102 // 103 // Dynamic import has the "script" destination. 104 // Step 3: "Fetch a single module script graph given url, ..., "script", ..." 105 // https://html.spec.whatwg.org/multipage/webappapis.html#fetch-an-import()-module-script-graph 106 // 107 // The "script" destination should obey the script-src CSP directive. 108 // "The script-src directive acts as a default fallback for all script-like 109 // destinations (including worker-specific destinations if worker-src is not 110 // present)." 111 // https://w3c.github.io/webappsec-csp/#directive-script-src 112 113 import_csp_test( 114 "script-src 'self' 'unsafe-inline'", "dynamic", 115 ['ERROR'], 116 "script-src 'self' directive should disallow cross origin dynamic import."); 117 118 import_csp_test( 119 "script-src * 'unsafe-inline'", "dynamic", 120 ["export-on-load-script.js"], 121 "script-src * directive should allow cross origin dynamic import."); 122 123 import_csp_test( 124 "worker-src 'self' 'unsafe-inline'", "dynamic", 125 ["export-on-load-script.js"], 126 "worker-src 'self' directive should not take effect on dynamic import."); 127 128 </script>