Source code

Revision control

Copy as Markdown

Other Tools

Test Info: Warnings

<!DOCTYPE html>
<title>Service Worker: CSP control of fetch()</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<script src="resources/test-helpers.sub.js?pipe=sub"></script>
<script>
function assert_resolves(promise, description) {
return promise.catch(function(reason) {
throw new Error(description + ' - ' + reason.message);
});
}
function assert_rejects(promise, description) {
return promise.then(
function() { throw new Error(description); },
function() {});
}
promise_test(function(t) {
var SCOPE = 'resources/fetch-csp-iframe.html';
var SCRIPT = 'resources/fetch-rewrite-worker.js';
var host_info = get_host_info();
var IMAGE_PATH =
base_path() + 'resources/fetch-access-control.py?PNGIMAGE';
var IMAGE_URL = host_info['HTTPS_ORIGIN'] + IMAGE_PATH;
var REMOTE_IMAGE_URL = host_info['HTTPS_REMOTE_ORIGIN'] + IMAGE_PATH;
var REDIRECT_URL =
host_info['HTTPS_ORIGIN'] + base_path() + 'resources/redirect.py';
var frame;
return service_worker_unregister_and_register(t, SCRIPT, SCOPE)
.then(function(registration) {
t.add_cleanup(function() {
return service_worker_unregister(t, SCOPE);
});
return wait_for_state(t, registration.installing, 'activated');
})
.then(function() {
return with_iframe(
SCOPE + '?' +
encodeURIComponent('img-src ' + host_info['HTTPS_ORIGIN'] +
'; script-src \'unsafe-inline\''));
})
.then(function(f) {
frame = f;
return assert_resolves(
frame.contentWindow.load_image(IMAGE_URL),
'Allowed scope image resource should be loaded.');
})
.then(function() {
return assert_rejects(
frame.contentWindow.load_image(REMOTE_IMAGE_URL),
'Disallowed scope image resource should not be loaded.');
})
.then(function() {
return assert_resolves(
frame.contentWindow.load_image(
// The request for IMAGE_URL will be fetched in SW.
'./sample?url=' + encodeURIComponent(IMAGE_URL)),
'Allowed scope image resource which was fetched via SW should ' +
'be loaded.');
})
.then(function() {
return assert_rejects(
frame.contentWindow.load_image(
// The request for REMOTE_IMAGE_URL will be fetched in SW.
'./sample?mode=no-cors&url=' +
encodeURIComponent(REMOTE_IMAGE_URL)),
'Disallowed scope image resource which was fetched via SW ' +
'should not be loaded.');
})
.then(function() {
frame.remove();
return with_iframe(
SCOPE + '?' +
encodeURIComponent(
'img-src ' + REDIRECT_URL +
'; script-src \'unsafe-inline\''));
})
.then(function(f) {
frame = f;
return assert_resolves(
frame.contentWindow.load_image(
// Set 'ignore' not to call respondWith() in the SW.
REDIRECT_URL + '?ignore&Redirect=' +
encodeURIComponent(IMAGE_URL)),
'When the request was redirected, CSP match algorithm should ' +
'ignore the path component of the URL.');
})
.then(function() {
return assert_resolves(
frame.contentWindow.load_image(
// This request will be fetched via SW and redirected by
// redirect.php.
REDIRECT_URL + '?Redirect=' + encodeURIComponent(IMAGE_URL)),
'When the request was redirected via SW, CSP match algorithm ' +
'should ignore the path component of the URL.');
})
.then(function() {
return assert_resolves(
frame.contentWindow.load_image(
// The request for IMAGE_URL will be fetched in SW.
REDIRECT_URL + '?url=' + encodeURIComponent(IMAGE_URL)),
'When the request was fetched via SW, CSP match algorithm ' +
'should ignore the path component of the URL.');
})
.then(function() {
return assert_resolves(
frame.contentWindow.fetch(IMAGE_URL + "&fetch1", { mode: 'no-cors'}),
'Allowed scope fetch resource should be loaded.');
})
.then(function() {
return assert_resolves(
frame.contentWindow.fetch(
// The request for IMAGE_URL will be fetched in SW.
'./sample?url=' + encodeURIComponent(IMAGE_URL + '&fetch2'), { mode: 'no-cors'}),
'Allowed scope fetch resource which was fetched via SW should be loaded.');
})
.then(function() {
return assert_rejects(
frame.contentWindow.fetch(REMOTE_IMAGE_URL + "&fetch3", { mode: 'no-cors'}),
'Disallowed scope fetch resource should not be loaded.');
})
.then(function() {
return assert_rejects(
frame.contentWindow.fetch(
// The request for REMOTE_IMAGE_URL will be fetched in SW.
'./sample?url=' + encodeURIComponent(REMOTE_IMAGE_URL + '&fetch4'), { mode: 'no-cors'}),
'Disallowed scope fetch resource which was fetched via SW should not be loaded.');
})
.then(function() {
frame.remove();
});
}, 'Verify CSP control of fetch() in a Service Worker');
</script>