| ☠☠ backed out by eaf6dbd7b716 ☠ ☠ | |
| author | Hiroki Nakagawa <nhiroki@chromium.org> |
| Wed, 06 Jun 2018 17:39:56 +0000 | |
| changeset 422270 | 938588f3dea76743c64be0a94e2df2677c66b75d |
| parent 422269 | ecda8fb8cb10ecda5d46731771f3e89a00a657ed |
| child 422271 | e5a51c261f1cd1a3ea043dafeb7358a8972bafda |
| push id | 34122 |
| push user | ebalazs@mozilla.com |
| push date | Mon, 11 Jun 2018 09:37:00 +0000 |
| treeherder | mozilla-central@9941eb8c3b29 [default view] [failures only] |
| perfherder | [talos] [build metrics] [platform microbench] (compared to previous push) |
| reviewers | testonly |
| bugs | 1465433, 11248, 680046, 1078947, 563531 |
| milestone | 62.0a1 |
| first release with | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
| last release without | nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
|
--- a/testing/web-platform/meta/MANIFEST.json +++ b/testing/web-platform/meta/MANIFEST.json @@ -300445,16 +300445,21 @@ {} ] ], "workers/modules/resources/dynamic-import-given-url-worker.js": [ [ {} ] ], + "workers/modules/resources/dynamic-import-remote-origin-script-worker.sub.js": [ + [ + {} + ] + ], "workers/modules/resources/dynamic-import-worker.js": [ [ {} ] ], "workers/modules/resources/empty-worker.js": [ [ {} @@ -300470,16 +300475,21 @@ {} ] ], "workers/modules/resources/export-on-load-script.js": [ [ {} ] ], + "workers/modules/resources/export-on-load-script.js.headers": [ + [ + {} + ] + ], "workers/modules/resources/export-on-static-import-script.js": [ [ {} ] ], "workers/modules/resources/import-meta-url-worker.js": [ [ {} @@ -300495,31 +300505,41 @@ {} ] ], "workers/modules/resources/nested-static-import-worker.js": [ [ {} ] ], + "workers/modules/resources/new-worker-window.html": [ + [ + {} + ] + ], "workers/modules/resources/post-message-on-load-worker.js": [ [ {} ] ], "workers/modules/resources/static-import-and-then-dynamic-import-worker.js": [ [ {} ] ], "workers/modules/resources/static-import-non-existent-script-worker.js": [ [ {} ] ], + "workers/modules/resources/static-import-remote-origin-script-worker.sub.js": [ + [ + {} + ] + ], "workers/modules/resources/static-import-worker.js": [ [ {} ] ], "workers/non-automated/application-cache-dedicated.html": [ [ {} @@ -382775,16 +382795,22 @@ ] ], "workers/interfaces/WorkerUtils/navigator/language.html": [ [ "/workers/interfaces/WorkerUtils/navigator/language.html", {} ] ], + "workers/modules/dedicated-worker-import-csp.html": [ + [ + "/workers/modules/dedicated-worker-import-csp.html", + {} + ] + ], "workers/modules/dedicated-worker-import-failure.html": [ [ "/workers/modules/dedicated-worker-import-failure.html", {} ] ], "workers/modules/dedicated-worker-import-meta.html": [ [ @@ -624636,16 +624662,20 @@ "workers/interfaces/WorkerUtils/navigator/007.html": [ "9b7b7485f1db37368824a593b2d6cbea46dad440", "testharness" ], "workers/interfaces/WorkerUtils/navigator/language.html": [ "6bffa3be83d81e2faa93119e710e4fee93fb855e", "testharness" ], + "workers/modules/dedicated-worker-import-csp.html": [ + "e889866185addcccf72828df7e75cec387cffab5", + "testharness" + ], "workers/modules/dedicated-worker-import-failure.html": [ "63b2320a3ecf6133a3525574bf5a1d185d1f3aa7", "testharness" ], "workers/modules/dedicated-worker-import-meta.html": [ "32cd3419ff904a2440d9a6eaa7cb28f78d4a7e32", "testharness" ], @@ -624672,16 +624702,20 @@ "workers/modules/resources/dynamic-import-and-then-static-import-worker.js": [ "60eba309a41fc8c07989f87e22400c7fc799687d", "support" ], "workers/modules/resources/dynamic-import-given-url-worker.js": [ "9d64de6e63d110e6eff89a124e94cdec9d1802c2", "support" ], + "workers/modules/resources/dynamic-import-remote-origin-script-worker.sub.js": [ + "bb2d9e0c4c641451640987cecb2f28eff3f8b518", + "support" + ], "workers/modules/resources/dynamic-import-worker.js": [ "9db02105e0ee1300518ca70259d4a93671062219", "support" ], "workers/modules/resources/empty-worker.js": [ "84b3339c3419e318803e51f46d7252d9e8ac183b", "support" ], @@ -624692,16 +624726,20 @@ "workers/modules/resources/export-on-dynamic-import-script.js": [ "dbb6eaa13def20fd310c7aaafab3d3ef9fe99859", "support" ], "workers/modules/resources/export-on-load-script.js": [ "fab13482dce29d3150f4eb06b1375c2610ab07f3", "support" ], + "workers/modules/resources/export-on-load-script.js.headers": [ + "90d51a5e46cc58404dd5ec1e9e4e10934a6c0707", + "support" + ], "workers/modules/resources/export-on-static-import-script.js": [ "fccc8ed2855b857d435d71382ed056f94be6e69d", "support" ], "workers/modules/resources/import-meta-url-worker.js": [ "83f231a886c36543721c2b0204c18b97d10968f8", "support" ], @@ -624712,28 +624750,36 @@ "workers/modules/resources/nested-dynamic-import-worker.js": [ "a6da499a70bce69c7faa79fc9f22ad2cd41c7fd5", "support" ], "workers/modules/resources/nested-static-import-worker.js": [ "7a6cdac13e91d27348e63310fc53443948a51aa6", "support" ], + "workers/modules/resources/new-worker-window.html": [ + "46ae6f9fe4975ca75c0d6534710238e6140aaa4a", + "support" + ], "workers/modules/resources/post-message-on-load-worker.js": [ "c67a79ade775435a67e5999d17e7cdda450c8e50", "support" ], "workers/modules/resources/static-import-and-then-dynamic-import-worker.js": [ "d6db01b9912dbe05e03e8011bf79e644651dacae", "support" ], "workers/modules/resources/static-import-non-existent-script-worker.js": [ "e8e1f0aedcc780aac742af01387dd151b10104bc", "support" ], + "workers/modules/resources/static-import-remote-origin-script-worker.sub.js": [ + "2f0657e4a67fb1e5e5c6c8bb81fcc084a846ad71", + "support" + ], "workers/modules/resources/static-import-worker.js": [ "4ccc3d3a7522527a5e62ec1adeb963220cfcd43c", "support" ], "workers/name-property.html": [ "782f980596535125995d91c678d94fe98169b7da", "testharness" ],
new file mode 100644 --- /dev/null +++ b/testing/web-platform/tests/workers/modules/dedicated-worker-import-csp.html @@ -0,0 +1,114 @@ +<!DOCTYPE html> +<title>DedicatedWorker: CSP for ES Modules</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script> + +async function openWindow(url) { + const win = window.open(url, '_blank'); + add_result_callback(() => win.close()); + const msg_event = await new Promise(resolve => window.onmessage = resolve); + assert_equals(msg_event.data, 'LOADED'); + return win; +} + +function import_csp_test( + cspHeader, scriptURL, expectedImportedModules, description) { + const windowURL = + `resources/new-worker-window.html?pipe=header(` + + `Content-Security-Policy, ${cspHeader})`; + promise_test(async () => { + // Open a window that has the given CSP header. + const win = await openWindow(windowURL); + // Ask the window to start a dedicated worker. The worker inherits the + // window's CSP header. + // https://w3c.github.io/webappsec-csp/#initialize-global-object-csp + win.postMessage(scriptURL, '*'); + const msg_event = await new Promise(resolve => window.onmessage = resolve); + assert_array_equals(msg_event.data, expectedImportedModules); + }, description); +} + +// Tests for static import. +// +// Static import should obey the worker-src directive and the script-src +// directive. If the both directives are specified, the worker-src directive +// should be prioritized. +// +// Step 1: "If the result of executing 6.6.1.11 Get the effective directive for +// request on request is "worker-src", and policy contains a directive whose +// name is "worker-src", return "Allowed"." +// "Note: If worker-src is present, we’ll defer to it when handling worker +// requests." +// https://w3c.github.io/webappsec-csp/#script-src-pre-request + +import_csp_test( + "worker-src 'self' 'unsafe-inline'", + "static-import-remote-origin-script-worker.sub.js", + ['ERROR'], + "worker-src 'self' directive should disallow cross origin static import."); + +import_csp_test( + "worker-src * 'unsafe-inline'", + "static-import-remote-origin-script-worker.sub.js", + ["export-on-load-script.js"], + "worker-src * directive should allow cross origin static import.") + +import_csp_test( + "script-src 'self' 'unsafe-inline'", + "static-import-remote-origin-script-worker.sub.js", + ['ERROR'], + "script-src 'self' directive should disallow cross origin static import."); + +import_csp_test( + "script-src * 'unsafe-inline'", + "static-import-remote-origin-script-worker.sub.js", + ["export-on-load-script.js"], + "script-src * directive should allow cross origin static import.") + +import_csp_test( + "worker-src *; script-src 'self' 'unsafe-inline'", + "static-import-remote-origin-script-worker.sub.js", + ["export-on-load-script.js"], + "worker-src * directive should override script-src 'self' directive and " + + "allow cross origin static import."); + +import_csp_test( + "worker-src 'self'; script-src * 'unsafe-inline'", + "static-import-remote-origin-script-worker.sub.js", + ['ERROR'], + "worker-src 'self' directive should override script-src * directive and " + + "disallow cross origin static import."); + +// Tests for dynamic import. +// +// Dynamic import should obey the script-src directive instead of the worker-src +// directive according to the specs: +// +// Dynamic import has the "script" destination. +// Step 2.4: "Fetch a module script graph given url, ..., "script", ..." +// https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability) +// +// The "script" destination should obey the script-src CSP directive. +// Step 2: "If request's destination is script-like:" +// https://w3c.github.io/webappsec-csp/#script-src-pre-request + +import_csp_test( + "script-src 'self' 'unsafe-inline'", + "dynamic-import-remote-origin-script-worker.sub.js", + ['ERROR'], + "script-src 'self' directive should disallow cross origin dynamic import."); + +import_csp_test( + "script-src * 'unsafe-inline'", + "dynamic-import-remote-origin-script-worker.sub.js", + ["export-on-load-script.js"], + "script-src * directive should allow cross origin dynamic import.") + +import_csp_test( + "worker-src 'self' 'unsafe-inline'", + "dynamic-import-remote-origin-script-worker.sub.js", + ["export-on-load-script.js"], + "worker-src 'self' directive should not take effect on dynamic import."); + +</script>
new file mode 100644 --- /dev/null +++ b/testing/web-platform/tests/workers/modules/resources/dynamic-import-remote-origin-script-worker.sub.js @@ -0,0 +1,4 @@ +// Import a remote origin script. +import('https://{{domains[www1]}}:{{ports[https][0]}}/workers/modules/resources/export-on-load-script.js') + .then(module => postMessage(module.importedModules)) + .catch(e => postMessage(['ERROR']));
new file mode 100644 --- /dev/null +++ b/testing/web-platform/tests/workers/modules/resources/export-on-load-script.js.headers @@ -0,0 +1,1 @@ +Access-Control-Allow-Origin: *
new file mode 100644 --- /dev/null +++ b/testing/web-platform/tests/workers/modules/resources/new-worker-window.html @@ -0,0 +1,15 @@ +<!DOCTYPE html> +<title>DedicatedWorker: new Worker()</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> +<script> +let worker; + +// Creates a new dedicated worker for a given script url. +window.onmessage = e => { + worker = new Worker(e.data, { type: 'module' }); + worker.onmessage = msg => window.opener.postMessage(msg.data, '*'); + worker.onerror = err => window.opener.postMessage(['ERROR'], '*'); +}; +window.opener.postMessage('LOADED', '*'); +</script>
new file mode 100644 --- /dev/null +++ b/testing/web-platform/tests/workers/modules/resources/static-import-remote-origin-script-worker.sub.js @@ -0,0 +1,3 @@ +// Import a remote origin script. +import * as module from 'https://{{domains[www1]}}:{{ports[https][0]}}/workers/modules/resources/export-on-load-script.js'; +postMessage(module.importedModules);