tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

shared-worker-import-data-url-cross-origin.html (2011B)

      1 <!DOCTYPE html>
      2 <title>SharedWorker: ES modules for data URL workers</title>
      3 <script src="/resources/testharness.js"></script>
      4 <script src="/resources/testharnessreport.js"></script>
      5 <script>
      6 
      7 const import_from_data_url_worker_test = (importType, isDataURL, expectation) => {
      8  promise_test(async () => {
      9    const importURL = new URL(`resources/${importType}-import-` +
     10        `${isDataURL ? 'data-url' : 'script'}-block-cross-origin.js`,
     11        location.href) + '?pipe=header(Access-Control-Allow-Origin, *)';
     12    const dataURL = `data:text/javascript,import "${importURL}";`;
     13    const worker = new SharedWorker(dataURL, { type: 'module' });
     14    worker.port.postMessage('Send message for tests from main script.');
     15    const msgEvent = await new Promise((resolve, reject) =>{
     16        worker.port.onmessage = resolve;
     17        worker.onerror = reject;
     18    }).catch(e => assert_true(false));
     19 
     20    assert_array_equals(msgEvent.data,
     21        expectation === 'blocked' ? ['ERROR']
     22                                  : ['export-block-cross-origin.js']);
     23  }, `${importType} import ${isDataURL ? 'data url' : 'script'} from data: ` +
     24     `URL should be ${expectation}.`);
     25 }
     26 
     27 // Static import should obey the outside settings.
     28 // SecurityOrigin of the outside settings is decided by Window.
     29 import_from_data_url_worker_test('static', true, 'allowed');
     30 import_from_data_url_worker_test('static', false, 'allowed');
     31 
     32 
     33 // Dynamic import should obey the inside settings.
     34 // SecurityOrigin of the inside settings is a unique opaque origin.
     35 //
     36 // Data url script is cross-origin to the inside settings' SecurityOrigin, but
     37 // dynamic importing it is allowed.
     38 // https://fetch.spec.whatwg.org/#concept-main-fetch
     39 // Step 5: request’s current URL’s scheme is "data" [spec text]
     40 import_from_data_url_worker_test('dynamic', true, 'allowed');
     41 
     42 // Non-data url script is cross-origin to the inside settings' SecurityOrigin.
     43 // It should be blocked.
     44 import_from_data_url_worker_test('dynamic', false, 'blocked');
     45 
     46 </script>