Bug 1465433 [wpt PR 11248] - Worker: Add CSP tests for ES Modules on dedicated workers, a=testonly
☠☠ backed out by eaf6dbd7b716 ☠ ☠
authorHiroki Nakagawa <nhiroki@chromium.org>
Wed, 06 Jun 2018 17:39:56 +0000
changeset 422270 938588f3dea76743c64be0a94e2df2677c66b75d
parent 422269 ecda8fb8cb10ecda5d46731771f3e89a00a657ed
child 422271 e5a51c261f1cd1a3ea043dafeb7358a8972bafda
push id34122
push userebalazs@mozilla.com
push dateMon, 11 Jun 2018 09:37:00 +0000
treeherdermozilla-central@9941eb8c3b29 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1465433, 11248, 680046, 1078947, 563531
milestone62.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1465433 [wpt PR 11248] - Worker: Add CSP tests for ES Modules on dedicated workers, a=testonly Automatic update from web-platform-testsWorker: Add CSP tests for ES Modules on dedicated workers Bug: 680046 Change-Id: I066d4b7750bbec00397466daac48e9d0a2ba70c0 Reviewed-on: https://chromium-review.googlesource.com/1078947 Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Reviewed-by: Matt Falkenhagen <falken@chromium.org> Cr-Commit-Position: refs/heads/master@{#563531} -- wpt-commits: 5679faa7a5a475724abb5bb0a3d377c4a961cbee wpt-pr: 11248
testing/web-platform/meta/MANIFEST.json
testing/web-platform/tests/workers/modules/dedicated-worker-import-csp.html
testing/web-platform/tests/workers/modules/resources/dynamic-import-remote-origin-script-worker.sub.js
testing/web-platform/tests/workers/modules/resources/export-on-load-script.js.headers
testing/web-platform/tests/workers/modules/resources/new-worker-window.html
testing/web-platform/tests/workers/modules/resources/static-import-remote-origin-script-worker.sub.js
--- a/testing/web-platform/meta/MANIFEST.json
+++ b/testing/web-platform/meta/MANIFEST.json
@@ -300445,16 +300445,21 @@
      {}
     ]
    ],
    "workers/modules/resources/dynamic-import-given-url-worker.js": [
     [
      {}
     ]
    ],
+   "workers/modules/resources/dynamic-import-remote-origin-script-worker.sub.js": [
+    [
+     {}
+    ]
+   ],
    "workers/modules/resources/dynamic-import-worker.js": [
     [
      {}
     ]
    ],
    "workers/modules/resources/empty-worker.js": [
     [
      {}
@@ -300470,16 +300475,21 @@
      {}
     ]
    ],
    "workers/modules/resources/export-on-load-script.js": [
     [
      {}
     ]
    ],
+   "workers/modules/resources/export-on-load-script.js.headers": [
+    [
+     {}
+    ]
+   ],
    "workers/modules/resources/export-on-static-import-script.js": [
     [
      {}
     ]
    ],
    "workers/modules/resources/import-meta-url-worker.js": [
     [
      {}
@@ -300495,31 +300505,41 @@
      {}
     ]
    ],
    "workers/modules/resources/nested-static-import-worker.js": [
     [
      {}
     ]
    ],
+   "workers/modules/resources/new-worker-window.html": [
+    [
+     {}
+    ]
+   ],
    "workers/modules/resources/post-message-on-load-worker.js": [
     [
      {}
     ]
    ],
    "workers/modules/resources/static-import-and-then-dynamic-import-worker.js": [
     [
      {}
     ]
    ],
    "workers/modules/resources/static-import-non-existent-script-worker.js": [
     [
      {}
     ]
    ],
+   "workers/modules/resources/static-import-remote-origin-script-worker.sub.js": [
+    [
+     {}
+    ]
+   ],
    "workers/modules/resources/static-import-worker.js": [
     [
      {}
     ]
    ],
    "workers/non-automated/application-cache-dedicated.html": [
     [
      {}
@@ -382775,16 +382795,22 @@
     ]
    ],
    "workers/interfaces/WorkerUtils/navigator/language.html": [
     [
      "/workers/interfaces/WorkerUtils/navigator/language.html",
      {}
     ]
    ],
+   "workers/modules/dedicated-worker-import-csp.html": [
+    [
+     "/workers/modules/dedicated-worker-import-csp.html",
+     {}
+    ]
+   ],
    "workers/modules/dedicated-worker-import-failure.html": [
     [
      "/workers/modules/dedicated-worker-import-failure.html",
      {}
     ]
    ],
    "workers/modules/dedicated-worker-import-meta.html": [
     [
@@ -624636,16 +624662,20 @@
   "workers/interfaces/WorkerUtils/navigator/007.html": [
    "9b7b7485f1db37368824a593b2d6cbea46dad440",
    "testharness"
   ],
   "workers/interfaces/WorkerUtils/navigator/language.html": [
    "6bffa3be83d81e2faa93119e710e4fee93fb855e",
    "testharness"
   ],
+  "workers/modules/dedicated-worker-import-csp.html": [
+   "e889866185addcccf72828df7e75cec387cffab5",
+   "testharness"
+  ],
   "workers/modules/dedicated-worker-import-failure.html": [
    "63b2320a3ecf6133a3525574bf5a1d185d1f3aa7",
    "testharness"
   ],
   "workers/modules/dedicated-worker-import-meta.html": [
    "32cd3419ff904a2440d9a6eaa7cb28f78d4a7e32",
    "testharness"
   ],
@@ -624672,16 +624702,20 @@
   "workers/modules/resources/dynamic-import-and-then-static-import-worker.js": [
    "60eba309a41fc8c07989f87e22400c7fc799687d",
    "support"
   ],
   "workers/modules/resources/dynamic-import-given-url-worker.js": [
    "9d64de6e63d110e6eff89a124e94cdec9d1802c2",
    "support"
   ],
+  "workers/modules/resources/dynamic-import-remote-origin-script-worker.sub.js": [
+   "bb2d9e0c4c641451640987cecb2f28eff3f8b518",
+   "support"
+  ],
   "workers/modules/resources/dynamic-import-worker.js": [
    "9db02105e0ee1300518ca70259d4a93671062219",
    "support"
   ],
   "workers/modules/resources/empty-worker.js": [
    "84b3339c3419e318803e51f46d7252d9e8ac183b",
    "support"
   ],
@@ -624692,16 +624726,20 @@
   "workers/modules/resources/export-on-dynamic-import-script.js": [
    "dbb6eaa13def20fd310c7aaafab3d3ef9fe99859",
    "support"
   ],
   "workers/modules/resources/export-on-load-script.js": [
    "fab13482dce29d3150f4eb06b1375c2610ab07f3",
    "support"
   ],
+  "workers/modules/resources/export-on-load-script.js.headers": [
+   "90d51a5e46cc58404dd5ec1e9e4e10934a6c0707",
+   "support"
+  ],
   "workers/modules/resources/export-on-static-import-script.js": [
    "fccc8ed2855b857d435d71382ed056f94be6e69d",
    "support"
   ],
   "workers/modules/resources/import-meta-url-worker.js": [
    "83f231a886c36543721c2b0204c18b97d10968f8",
    "support"
   ],
@@ -624712,28 +624750,36 @@
   "workers/modules/resources/nested-dynamic-import-worker.js": [
    "a6da499a70bce69c7faa79fc9f22ad2cd41c7fd5",
    "support"
   ],
   "workers/modules/resources/nested-static-import-worker.js": [
    "7a6cdac13e91d27348e63310fc53443948a51aa6",
    "support"
   ],
+  "workers/modules/resources/new-worker-window.html": [
+   "46ae6f9fe4975ca75c0d6534710238e6140aaa4a",
+   "support"
+  ],
   "workers/modules/resources/post-message-on-load-worker.js": [
    "c67a79ade775435a67e5999d17e7cdda450c8e50",
    "support"
   ],
   "workers/modules/resources/static-import-and-then-dynamic-import-worker.js": [
    "d6db01b9912dbe05e03e8011bf79e644651dacae",
    "support"
   ],
   "workers/modules/resources/static-import-non-existent-script-worker.js": [
    "e8e1f0aedcc780aac742af01387dd151b10104bc",
    "support"
   ],
+  "workers/modules/resources/static-import-remote-origin-script-worker.sub.js": [
+   "2f0657e4a67fb1e5e5c6c8bb81fcc084a846ad71",
+   "support"
+  ],
   "workers/modules/resources/static-import-worker.js": [
    "4ccc3d3a7522527a5e62ec1adeb963220cfcd43c",
    "support"
   ],
   "workers/name-property.html": [
    "782f980596535125995d91c678d94fe98169b7da",
    "testharness"
   ],
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/workers/modules/dedicated-worker-import-csp.html
@@ -0,0 +1,114 @@
+<!DOCTYPE html>
+<title>DedicatedWorker: CSP for ES Modules</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+async function openWindow(url) {
+  const win = window.open(url, '_blank');
+  add_result_callback(() => win.close());
+  const msg_event = await new Promise(resolve => window.onmessage = resolve);
+  assert_equals(msg_event.data, 'LOADED');
+  return win;
+}
+
+function import_csp_test(
+    cspHeader, scriptURL, expectedImportedModules, description) {
+  const windowURL =
+      `resources/new-worker-window.html?pipe=header(` +
+          `Content-Security-Policy, ${cspHeader})`;
+  promise_test(async () => {
+    // Open a window that has the given CSP header.
+    const win = await openWindow(windowURL);
+    // Ask the window to start a dedicated worker. The worker inherits the
+    // window's CSP header.
+    // https://w3c.github.io/webappsec-csp/#initialize-global-object-csp
+    win.postMessage(scriptURL, '*');
+    const msg_event = await new Promise(resolve => window.onmessage = resolve);
+    assert_array_equals(msg_event.data, expectedImportedModules);
+  }, description);
+}
+
+// Tests for static import.
+//
+// Static import should obey the worker-src directive and the script-src
+// directive. If the both directives are specified, the worker-src directive
+// should be prioritized.
+//
+// Step 1: "If the result of executing 6.6.1.11 Get the effective directive for
+// request on request is "worker-src", and policy contains a directive whose
+// name is "worker-src", return "Allowed"."
+// "Note: If worker-src is present, we’ll defer to it when handling worker
+// requests."
+// https://w3c.github.io/webappsec-csp/#script-src-pre-request
+
+import_csp_test(
+    "worker-src 'self' 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ['ERROR'],
+    "worker-src 'self' directive should disallow cross origin static import.");
+
+import_csp_test(
+    "worker-src * 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "worker-src * directive should allow cross origin static import.")
+
+import_csp_test(
+    "script-src 'self' 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ['ERROR'],
+    "script-src 'self' directive should disallow cross origin static import.");
+
+import_csp_test(
+    "script-src * 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "script-src * directive should allow cross origin static import.")
+
+import_csp_test(
+    "worker-src *; script-src 'self' 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "worker-src * directive should override script-src 'self' directive and " +
+        "allow cross origin static import.");
+
+import_csp_test(
+    "worker-src 'self'; script-src * 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ['ERROR'],
+    "worker-src 'self' directive should override script-src * directive and " +
+        "disallow cross origin static import.");
+
+// Tests for dynamic import.
+//
+// Dynamic import should obey the script-src directive instead of the worker-src
+// directive according to the specs:
+//
+// Dynamic import has the "script" destination.
+// Step 2.4: "Fetch a module script graph given url, ..., "script", ..."
+// https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability)
+//
+// The "script" destination should obey the script-src CSP directive.
+// Step 2: "If request's destination is script-like:"
+// https://w3c.github.io/webappsec-csp/#script-src-pre-request
+
+import_csp_test(
+    "script-src 'self' 'unsafe-inline'",
+    "dynamic-import-remote-origin-script-worker.sub.js",
+    ['ERROR'],
+    "script-src 'self' directive should disallow cross origin dynamic import.");
+
+import_csp_test(
+    "script-src * 'unsafe-inline'",
+    "dynamic-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "script-src * directive should allow cross origin dynamic import.")
+
+import_csp_test(
+    "worker-src 'self' 'unsafe-inline'",
+    "dynamic-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "worker-src 'self' directive should not take effect on dynamic import.");
+
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/workers/modules/resources/dynamic-import-remote-origin-script-worker.sub.js
@@ -0,0 +1,4 @@
+// Import a remote origin script.
+import('https://{{domains[www1]}}:{{ports[https][0]}}/workers/modules/resources/export-on-load-script.js')
+  .then(module => postMessage(module.importedModules))
+  .catch(e => postMessage(['ERROR']));
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/workers/modules/resources/export-on-load-script.js.headers
@@ -0,0 +1,1 @@
+Access-Control-Allow-Origin: *
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/workers/modules/resources/new-worker-window.html
@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<title>DedicatedWorker: new Worker()</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+let worker;
+
+// Creates a new dedicated worker for a given script url.
+window.onmessage = e => {
+  worker = new Worker(e.data, { type: 'module' });
+  worker.onmessage = msg => window.opener.postMessage(msg.data, '*');
+  worker.onerror = err => window.opener.postMessage(['ERROR'], '*');
+};
+window.opener.postMessage('LOADED', '*');
+</script>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/workers/modules/resources/static-import-remote-origin-script-worker.sub.js
@@ -0,0 +1,3 @@
+// Import a remote origin script.
+import * as module from 'https://{{domains[www1]}}:{{ports[https][0]}}/workers/modules/resources/export-on-load-script.js';
+postMessage(module.importedModules);