4 <title>Bug
1475849: Test CSP worker inheritance
</title>
5 <link rel=
"stylesheet" type=
"text/css" href=
"/tests/SimpleTest/test.css" />
6 <script src=
"/tests/SimpleTest/SimpleTest.js"></script>
7 <script type=
"application/javascript" src=
"worker_helper.js"></script>
11 <script type=
"application/javascript">
12 const SJS =
"worker.sjs";
13 const SAME_BASE =
"http://mochi.test:8888/tests/dom/security/test/csp/file_CSP.sjs";
14 const CROSS_BASE =
"http://example.com/tests/dom/security/test/csp/file_CSP.sjs";
16 SimpleTest.waitForExplicitFinish();
19 id: test id, short description of test,
20 base: URL of the request in worker,
21 action: type of request in worker (fetch, xhr, importscript)
22 type: how do we create the worker, from URL or Blob,
24 child: how do we create the child worker, from URL or Blob,
25 childCsp: csp of child worker
26 expectedBlock: result when CSP policy, true or false
30 // Document's CSP is defined in main_csp_worker.html^headers^
31 // Content-Security-Policy: default-src 'self' blob: 'unsafe-inline'
33 // create new Worker(url), worker's csp should be deliveried from header.
34 // csp should be: default-src 'self' blob: ; connect-src CROSS_BASE
36 id:
"worker_url_fetch_same_bad",
40 csp:
"default-src 'self' blob: ; connect-src http://example.com",
44 id:
"worker_url_importScripts_same_good",
46 action:
"importScripts",
48 csp:
"default-src 'self' blob: ; connect-src http://example.com",
52 id:
"worker_url_xhr_same_bad",
56 csp:
"default-src 'self' blob: ; connect-src http://example.com",
60 id:
"worker_url_fetch_cross_good",
64 csp:
"default-src 'self' blob: ; connect-src http://example.com",
68 id:
"worker_url_importScripts_cross_bad",
70 action:
"importScripts",
72 csp:
"default-src 'self' blob: ; connect-src http://example.com",
76 id:
"worker_url_xhr_cross_good",
80 csp:
"default-src 'self' blob: ; connect-src http://example.com",
84 // create new Worker(blob:), worker's csp should be inherited from
86 // csp should be : default-src 'self' blob: 'unsafe-inline'
88 id:
"worker_blob_fetch_same_good",
92 csp:
"default-src 'self' blob: ; connect-src http://example.com",
96 id:
"worker_blob_xhr_same_good",
100 csp:
"default-src 'self' blob: ; connect-src http://example.com",
104 id:
"worker_blob_importScripts_same_good",
106 action:
"importScripts",
108 csp:
"default-src 'self' blob: ; connect-src http://example.com",
112 id:
"worker_blob_fetch_cross_bad",
116 csp:
"default-src 'self' blob: ; connect-src http://example.com",
120 id:
"worker_blob_xhr_cross_bad",
124 csp:
"default-src 'self' blob: ; connect-src http://example.com",
128 id:
"worker_blob_importScripts_cross_bad",
130 action:
"importScripts",
132 csp:
"default-src 'self' blob: ; connect-src http://example.com",
136 // create parent worker from url, child worker from blob,
137 // Parent delivery csp then propagate to child
138 // csp should be:
"default-src 'self' blob: ; connect-src 'self' http://example.com",
140 id:
"worker_url_child_blob_fetch_same_good",
144 childCsp:
"default-src 'none'",
146 csp:
"default-src 'self' blob: ; connect-src 'self' http://example.com",
150 id:
"worker_url_child_blob_importScripts_same_good",
152 action:
"importScripts",
154 childCsp:
"default-src 'none'",
156 csp:
"default-src 'self' blob: ; connect-src 'self' http://example.com",
160 id:
"worker_url_child_blob_xhr_same_good",
163 childCsp:
"default-src 'none'",
166 csp:
"default-src 'self' blob: ; connect-src 'self' http://example.com",
170 id:
"worker_url_child_blob_fetch_cross_good",
174 childCsp:
"default-src 'none'",
176 csp:
"default-src 'self' blob: ; connect-src 'self' http://example.com",
180 id:
"worker_url_child_blob_importScripts_cross_bad",
182 action:
"importScripts",
184 childCsp:
"default-src 'none'",
186 csp:
"default-src 'self' blob: ; connect-src 'self' http://example.com",
190 id:
"worker_url_child_blob_xhr_cross_godd",
193 childCsp:
"default-src 'none'",
196 csp:
"default-src 'self' blob: ; connect-src 'self' http://example.com",
201 // create parent worker from blob, child worker from blob,
202 // Csp: document-
>parent-
>child
203 // csp should be : default-src 'self' blob: 'unsafe-inline'
205 id:
"worker_blob_child_blob_fetch_same_good",
208 childCsp:
"default-src 'none'",
211 csp:
"default-src 'self' blob:",
215 id:
"worker_blob_child_blob_xhr_same_good",
218 childCsp:
"default-src 'none'",
221 csp:
"default-src 'self' blob:",
225 id:
"worker_blob_child_blob_importScripts_same_good",
227 action:
"importScripts",
229 childCsp:
"default-src 'none'",
231 csp:
"default-src 'self' blob:",
235 id:
"worker_blob_child_blob_fetch_cross_bad",
238 childCsp:
"default-src 'none'",
241 csp:
"default-src 'self' blob:",
245 id:
"worker_blob_child_blob_xhr_cross_bad",
248 childCsp:
"default-src 'none'",
251 csp:
"default-src 'self' blob:",
255 id:
"worker_blob_child_blob_importScripts_cross_bad",
257 action:
"importScripts",
259 childCsp:
"default-src 'none'",
261 csp:
"default-src 'self' blob:",
265 // create parent worker from url, child worker from url,
266 // child delivery csp from header
267 // csp should be : default-src 'none'
269 id:
"worker_url_child_url_fetch_cross_bad",
273 childCsp:
"default-src 'none'",
275 csp:
"default-src 'self' blob:",
279 id:
"worker_url_child_url_xhr_cross_bad",
282 childCsp:
"default-src 'none'",
285 csp:
"default-src 'self' blob:",
289 id:
"worker_url_child_url_importScripts_cross_bad",
291 action:
"importScripts",
293 childCsp:
"default-src 'none'",
295 csp:
"default-src 'self' blob:",
299 id:
"worker_url_child_url_fetch_same_bad",
303 childCsp:
"default-src 'none'",
305 csp:
"default-src 'self' blob:",
309 id:
"worker_url_child_url_xhr_same_bad",
312 childCsp:
"default-src 'none'",
315 csp:
"default-src 'self' blob:",
319 id:
"worker_url_child_url_importScripts_same_bad",
321 action:
"importScripts",
323 childCsp:
"default-src 'none'",
325 csp:
"default-src 'self' blob:",
329 // create parent worker from blob, child worker from url,
330 // child delivery csp from header
331 // csp should be : default-src 'none'
333 id:
"worker_blob_child_url_fetch_cross_bad",
336 childCsp:
"default-src 'none'",
339 csp:
"default-src 'self' blob:",
343 id:
"worker_blob_child_url_xhr_cross_bad",
346 childCsp:
"default-src 'none'",
349 csp:
"default-src 'self' blob:",
353 id:
"worker_blob_child_url_importScripts_cross_bad",
355 action:
"importScripts",
357 childCsp:
"default-src 'none'",
359 csp:
"default-src 'self' blob:",
363 id:
"worker_blob_child_url_fetch_same_bad",
366 childCsp:
"default-src 'none'",
369 csp:
"default-src 'self' blob:",
373 id:
"worker_blob_child_url_xhr_same_bad",
376 childCsp:
"default-src 'none'",
379 csp:
"default-src 'self' blob:",
383 id:
"worker_blob_child_url_importScripts_same_bad",
385 action:
"importScripts",
387 childCsp:
"default-src 'none'",
389 csp:
"default-src 'self' blob:",
396 async function runWorkerTest(data) {
398 src +=
"?base=" + escape(data.base);
399 src +=
"&action=" + escape(data.action);
400 src +=
"&csp=" + escape(data.csp);
401 src +=
"&id=" + escape(data.id);
404 src +=
"&child=" + escape(data.child);
408 src +=
"&childCsp=" + escape(data.childCsp);
417 new Worker(URL.createObjectURL(await doXHRGetBlob(src)));
421 throw
"Unsupport type";
424 let checkUri = data.base +
"?id=" + data.id;
425 await assertCSPBlock(checkUri, data.expectBlocked);
429 tests.forEach(function(test) {
430 addAsyncTest(async function() {