search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Bug 1685822 [wpt PR 27117] - [Import Maps] Add tests for rejecting multiple import...
[gecko.git] / dom / security / test / csp / main_csp_worker.html
blob8957e3fd2510305f8558794eed9d50ee0d2eca49
1 <!DOCTYPE HTML>
2 <html>
3 <head>
4 <title>Bug 1475849: Test CSP worker inheritance</title>
5 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
6 <script src="/tests/SimpleTest/SimpleTest.js"></script>
7 <script type="application/javascript" src="worker_helper.js"></script>
8
9 </head>
10 <body>
11 <script type="application/javascript">
12 const SJS = "worker.sjs";
13 const SAME_BASE = "http://mochi.test:8888/tests/dom/security/test/csp/file_CSP.sjs";
14 const CROSS_BASE = "http://example.com/tests/dom/security/test/csp/file_CSP.sjs";
15
16 SimpleTest.waitForExplicitFinish();
17 /* test data format :
18 {
19 id: test id, short description of test,
20 base: URL of the request in worker,
21 action: type of request in worker (fetch, xhr, importscript)
22 type: how do we create the worker, from URL or Blob,
23 csp: csp of worker,
24 child: how do we create the child worker, from URL or Blob,
25 childCsp: csp of child worker
26 expectedBlock: result when CSP policy, true or false
27 }
28 */
29
30 // Document's CSP is defined in main_csp_worker.html^headers^
31 // Content-Security-Policy: default-src 'self' blob: 'unsafe-inline'
32 var tests = [
33 // create new Worker(url), worker's csp should be deliveried from header.
34 // csp should be: default-src 'self' blob: ; connect-src CROSS_BASE
35 {
36 id: "worker_url_fetch_same_bad",
37 base: SAME_BASE,
38 action: "fetch",
39 type: "url",
40 csp: "default-src 'self' blob: ; connect-src http://example.com",
41 expectBlocked: true
42 },
43 {
44 id: "worker_url_importScripts_same_good",
45 base: SAME_BASE,
46 action: "importScripts",
47 type: "url",
48 csp: "default-src 'self' blob: ; connect-src http://example.com",
49 expectBlocked: false
50 },
51 {
52 id: "worker_url_xhr_same_bad",
53 base: SAME_BASE,
54 action: "xhr",
55 type: "url",
56 csp: "default-src 'self' blob: ; connect-src http://example.com",
57 expectBlocked: true
58 },
59 {
60 id: "worker_url_fetch_cross_good",
61 base: CROSS_BASE,
62 action: "fetch",
63 type: "url",
64 csp: "default-src 'self' blob: ; connect-src http://example.com",
65 expectBlocked: false
66 },
67 {
68 id: "worker_url_importScripts_cross_bad",
69 base: CROSS_BASE,
70 action: "importScripts",
71 type: "url",
72 csp: "default-src 'self' blob: ; connect-src http://example.com",
73 expectBlocked: true
74 },
75 {
76 id: "worker_url_xhr_cross_good",
77 base: CROSS_BASE,
78 action: "xhr",
79 type: "url",
80 csp: "default-src 'self' blob: ; connect-src http://example.com",
81 expectBlocked: false
82 },
83
84 // create new Worker(blob:), worker's csp should be inherited from
85 // document.
86 // csp should be : default-src 'self' blob: 'unsafe-inline'
87 {
88 id: "worker_blob_fetch_same_good",
89 base: SAME_BASE,
90 action: "fetch",
91 type: "blob",
92 csp: "default-src 'self' blob: ; connect-src http://example.com",
93 expectBlocked: false
94 },
95 {
96 id: "worker_blob_xhr_same_good",
97 base: SAME_BASE,
98 action: "xhr",
99 type: "blob",
100 csp: "default-src 'self' blob: ; connect-src http://example.com",
101 expectBlocked: false
102 },
103 {
104 id: "worker_blob_importScripts_same_good",
105 base: SAME_BASE,
106 action: "importScripts",
107 type: "blob",
108 csp: "default-src 'self' blob: ; connect-src http://example.com",
109 expectBlocked: false
110 },
111 {
112 id: "worker_blob_fetch_cross_bad",
113 base: CROSS_BASE,
114 action: "fetch",
115 type: "blob",
116 csp: "default-src 'self' blob: ; connect-src http://example.com",
117 expectBlocked: true
118 },
119 {
120 id: "worker_blob_xhr_cross_bad",
121 base: CROSS_BASE,
122 action: "xhr",
123 type: "blob",
124 csp: "default-src 'self' blob: ; connect-src http://example.com",
125 expectBlocked: true
126 },
127 {
128 id: "worker_blob_importScripts_cross_bad",
129 base: CROSS_BASE,
130 action: "importScripts",
131 type: "blob",
132 csp: "default-src 'self' blob: ; connect-src http://example.com",
133 expectBlocked: true
134 },
135
136 // create parent worker from url, child worker from blob,
137 // Parent delivery csp then propagate to child
138 // csp should be: "default-src 'self' blob: ; connect-src 'self' http://example.com",
139 {
140 id: "worker_url_child_blob_fetch_same_good",
141 base: SAME_BASE,
142 action: "fetch",
143 child: "blob",
144 childCsp: "default-src 'none'",
145 type: "url",
146 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com",
147 expectBlocked: false
148 },
149 {
150 id: "worker_url_child_blob_importScripts_same_good",
151 base: SAME_BASE,
152 action: "importScripts",
153 child: "blob",
154 childCsp: "default-src 'none'",
155 type: "url",
156 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com",
157 expectBlocked: false
158 },
159 {
160 id: "worker_url_child_blob_xhr_same_good",
161 base: SAME_BASE,
162 child: "blob",
163 childCsp: "default-src 'none'",
164 action: "xhr",
165 type: "url",
166 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com",
167 expectBlocked: false
168 },
169 {
170 id: "worker_url_child_blob_fetch_cross_good",
171 base: CROSS_BASE,
172 action: "fetch",
173 child: "blob",
174 childCsp: "default-src 'none'",
175 type: "url",
176 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com",
177 expectBlocked: false
178 },
179 {
180 id: "worker_url_child_blob_importScripts_cross_bad",
181 base: CROSS_BASE,
182 action: "importScripts",
183 child: "blob",
184 childCsp: "default-src 'none'",
185 type: "url",
186 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com",
187 expectBlocked: true
188 },
189 {
190 id: "worker_url_child_blob_xhr_cross_godd",
191 base: CROSS_BASE,
192 child: "blob",
193 childCsp: "default-src 'none'",
194 action: "xhr",
195 type: "url",
196 csp: "default-src 'self' blob: ; connect-src 'self' http://example.com",
197 expectBlocked: false
198 },
199
200
201 // create parent worker from blob, child worker from blob,
202 // Csp: document->parent->child
203 // csp should be : default-src 'self' blob: 'unsafe-inline'
204 {
205 id: "worker_blob_child_blob_fetch_same_good",
206 base: SAME_BASE,
207 child: "blob",
208 childCsp: "default-src 'none'",
209 action: "fetch",
210 type: "blob",
211 csp: "default-src 'self' blob:",
212 expectBlocked: false
213 },
214 {
215 id: "worker_blob_child_blob_xhr_same_good",
216 base: SAME_BASE,
217 child: "blob",
218 childCsp: "default-src 'none'",
219 action: "xhr",
220 type: "blob",
221 csp: "default-src 'self' blob:",
222 expectBlocked: false
223 },
224 {
225 id: "worker_blob_child_blob_importScripts_same_good",
226 base: SAME_BASE,
227 action: "importScripts",
228 child: "blob",
229 childCsp: "default-src 'none'",
230 type: "blob",
231 csp: "default-src 'self' blob:",
232 expectBlocked: false
233 },
234 {
235 id: "worker_blob_child_blob_fetch_cross_bad",
236 base: CROSS_BASE,
237 child: "blob",
238 childCsp: "default-src 'none'",
239 action: "fetch",
240 type: "blob",
241 csp: "default-src 'self' blob:",
242 expectBlocked: true
243 },
244 {
245 id: "worker_blob_child_blob_xhr_cross_bad",
246 base: CROSS_BASE,
247 child: "blob",
248 childCsp: "default-src 'none'",
249 action: "xhr",
250 type: "blob",
251 csp: "default-src 'self' blob:",
252 expectBlocked: true
253 },
254 {
255 id: "worker_blob_child_blob_importScripts_cross_bad",
256 base: CROSS_BASE,
257 action: "importScripts",
258 child: "blob",
259 childCsp: "default-src 'none'",
260 type: "blob",
261 csp: "default-src 'self' blob:",
262 expectBlocked: true
263 },
264
265 // create parent worker from url, child worker from url,
266 // child delivery csp from header
267 // csp should be : default-src 'none'
268 {
269 id: "worker_url_child_url_fetch_cross_bad",
270 base: CROSS_BASE,
271 action: "fetch",
272 child: "url",
273 childCsp: "default-src 'none'",
274 type: "url",
275 csp: "default-src 'self' blob:",
276 expectBlocked: true
277 },
278 {
279 id: "worker_url_child_url_xhr_cross_bad",
280 base: CROSS_BASE,
281 child: "url",
282 childCsp: "default-src 'none'",
283 action: "xhr",
284 type: "url",
285 csp: "default-src 'self' blob:",
286 expectBlocked: true
287 },
288 {
289 id: "worker_url_child_url_importScripts_cross_bad",
290 base: CROSS_BASE,
291 action: "importScripts",
292 child: "url",
293 childCsp: "default-src 'none'",
294 type: "url",
295 csp: "default-src 'self' blob:",
296 expectBlocked: true
297 },
298 {
299 id: "worker_url_child_url_fetch_same_bad",
300 base: SAME_BASE,
301 action: "fetch",
302 child: "url",
303 childCsp: "default-src 'none'",
304 type: "url",
305 csp: "default-src 'self' blob:",
306 expectBlocked: true
307 },
308 {
309 id: "worker_url_child_url_xhr_same_bad",
310 base: SAME_BASE,
311 child: "url",
312 childCsp: "default-src 'none'",
313 action: "xhr",
314 type: "url",
315 csp: "default-src 'self' blob:",
316 expectBlocked: true
317 },
318 {
319 id: "worker_url_child_url_importScripts_same_bad",
320 base: SAME_BASE,
321 action: "importScripts",
322 child: "url",
323 childCsp: "default-src 'none'",
324 type: "url",
325 csp: "default-src 'self' blob:",
326 expectBlocked: true
327 },
328
329 // create parent worker from blob, child worker from url,
330 // child delivery csp from header
331 // csp should be : default-src 'none'
332 {
333 id: "worker_blob_child_url_fetch_cross_bad",
334 base: CROSS_BASE,
335 child: "url",
336 childCsp: "default-src 'none'",
337 action: "fetch",
338 type: "blob",
339 csp: "default-src 'self' blob:",
340 expectBlocked: true
341 },
342 {
343 id: "worker_blob_child_url_xhr_cross_bad",
344 base: CROSS_BASE,
345 child: "url",
346 childCsp: "default-src 'none'",
347 action: "xhr",
348 type: "blob",
349 csp: "default-src 'self' blob:",
350 expectBlocked: true
351 },
352 {
353 id: "worker_blob_child_url_importScripts_cross_bad",
354 base: CROSS_BASE,
355 action: "importScripts",
356 child: "url",
357 childCsp: "default-src 'none'",
358 type: "blob",
359 csp: "default-src 'self' blob:",
360 expectBlocked: true
361 },
362 {
363 id: "worker_blob_child_url_fetch_same_bad",
364 base: SAME_BASE,
365 child: "url",
366 childCsp: "default-src 'none'",
367 action: "fetch",
368 type: "blob",
369 csp: "default-src 'self' blob:",
370 expectBlocked: true
371 },
372 {
373 id: "worker_blob_child_url_xhr_same_bad",
374 base: SAME_BASE,
375 child: "url",
376 childCsp: "default-src 'none'",
377 action: "xhr",
378 type: "blob",
379 csp: "default-src 'self' blob:",
380 expectBlocked: true
381 },
382 {
383 id: "worker_blob_child_url_importScripts_same_bad",
384 base: SAME_BASE,
385 action: "importScripts",
386 child: "url",
387 childCsp: "default-src 'none'",
388 type: "blob",
389 csp: "default-src 'self' blob:",
390 expectBlocked: true
391 },
392
393
394 ];
395
396 async function runWorkerTest(data) {
397 let src = SJS;
398 src += "?base=" + escape(data.base);
399 src += "&action=" + escape(data.action);
400 src += "&csp=" + escape(data.csp);
401 src += "&id=" + escape(data.id);
402
403 if (data.child) {
404 src += "&child=" + escape(data.child);
405 }
406
407 if (data.childCsp) {
408 src += "&childCsp=" + escape(data.childCsp);
409 }
410
411 switch (data.type) {
412 case "url":
413 new Worker(src);
414 break;
415
416 case "blob":
417 new Worker(URL.createObjectURL(await doXHRGetBlob(src)));
418 break;
419
420 default:
421 throw "Unsupport type";
422 }
423
424 let checkUri = data.base + "?id=" + data.id;
425 await assertCSPBlock(checkUri, data.expectBlocked);
426 runNextTest();
427 };
428
429 tests.forEach(function(test) {
430 addAsyncTest(async function() {
431 runWorkerTest(test);
432 });
433 });
434
435 runNextTest();
436 </script>
437
438 </body>
439 </html>