Source code
Revision control
Copy as Markdown
Other Tools
bodyDefault = b'''
importScripts('worker-testharness.js');
importScripts('test-helpers.sub.js');
importScripts('/common/get-host-info.sub.js');
var host_info = get_host_info();
test(function() {
var import_script_failed = false;
try {
importScripts(host_info.HTTPS_REMOTE_ORIGIN +
base_path() + 'empty.js');
} catch(e) {
import_script_failed = true;
}
assert_true(import_script_failed,
'Importing the other origins script should fail.');
}, 'importScripts test for default-src');
test(function() {
assert_throws_js(EvalError,
function() { eval('1 + 1'); },
'eval() should throw EvalError.')
assert_throws_js(EvalError,
function() { new Function('1 + 1'); },
'new Function() should throw EvalError.')
}, 'eval test for default-src');
async_test(function(t) {
fetch(host_info.HTTPS_REMOTE_ORIGIN +
base_path() + 'fetch-access-control.py?ACAOrigin=*',
{mode: 'cors'})
.then(function(response){
assert_unreached('fetch should fail.');
}, function(){
t.done();
})
.catch(unreached_rejection(t));
}, 'Fetch test for default-src');
async_test(function(t) {
var REDIRECT_URL = host_info.HTTPS_ORIGIN +
base_path() + 'redirect.py?Redirect=';
var OTHER_BASE_URL = host_info.HTTPS_REMOTE_ORIGIN +
base_path() + 'fetch-access-control.py?'
fetch(REDIRECT_URL + encodeURIComponent(OTHER_BASE_URL + 'ACAOrigin=*'),
{mode: 'cors'})
.then(function(response){
assert_unreached('Redirected fetch should fail.');
}, function(){
t.done();
})
.catch(unreached_rejection(t));
}, 'Redirected fetch test for default-src');'''
bodyScript = b'''
importScripts('worker-testharness.js');
importScripts('test-helpers.sub.js');
importScripts('/common/get-host-info.sub.js');
var host_info = get_host_info();
test(function() {
var import_script_failed = false;
try {
importScripts(host_info.HTTPS_REMOTE_ORIGIN +
base_path() + 'empty.js');
} catch(e) {
import_script_failed = true;
}
assert_true(import_script_failed,
'Importing the other origins script should fail.');
}, 'importScripts test for script-src');
test(function() {
assert_throws_js(EvalError,
function() { eval('1 + 1'); },
'eval() should throw EvalError.')
assert_throws_js(EvalError,
function() { new Function('1 + 1'); },
'new Function() should throw EvalError.')
}, 'eval test for script-src');
async_test(function(t) {
fetch(host_info.HTTPS_REMOTE_ORIGIN +
base_path() + 'fetch-access-control.py?ACAOrigin=*',
{mode: 'cors'})
.then(function(response){
t.done();
}, function(){
assert_unreached('fetch should not fail.');
})
.catch(unreached_rejection(t));
}, 'Fetch test for script-src');
async_test(function(t) {
var REDIRECT_URL = host_info.HTTPS_ORIGIN +
base_path() + 'redirect.py?Redirect=';
var OTHER_BASE_URL = host_info.HTTPS_REMOTE_ORIGIN +
base_path() + 'fetch-access-control.py?'
fetch(REDIRECT_URL + encodeURIComponent(OTHER_BASE_URL + 'ACAOrigin=*'),
{mode: 'cors'})
.then(function(response){
t.done();
}, function(){
assert_unreached('Redirected fetch should not fail.');
})
.catch(unreached_rejection(t));
}, 'Redirected fetch test for script-src');'''
bodyConnect = b'''
importScripts('worker-testharness.js');
importScripts('test-helpers.sub.js');
importScripts('/common/get-host-info.sub.js');
var host_info = get_host_info();
test(function() {
var import_script_failed = false;
try {
importScripts(host_info.HTTPS_REMOTE_ORIGIN +
base_path() + 'empty.js');
} catch(e) {
import_script_failed = true;
}
assert_false(import_script_failed,
'Importing the other origins script should not fail.');
}, 'importScripts test for connect-src');
test(function() {
var eval_failed = false;
try {
eval('1 + 1');
new Function('1 + 1');
} catch(e) {
eval_failed = true;
}
assert_false(eval_failed,
'connect-src without unsafe-eval should not block eval().');
}, 'eval test for connect-src');
async_test(function(t) {
fetch(host_info.HTTPS_REMOTE_ORIGIN +
base_path() + 'fetch-access-control.py?ACAOrigin=*',
{mode: 'cors'})
.then(function(response){
assert_unreached('fetch should fail.');
}, function(){
t.done();
})
.catch(unreached_rejection(t));
}, 'Fetch test for connect-src');
async_test(function(t) {
var REDIRECT_URL = host_info.HTTPS_ORIGIN +
base_path() + 'redirect.py?Redirect=';
var OTHER_BASE_URL = host_info.HTTPS_REMOTE_ORIGIN +
base_path() + 'fetch-access-control.py?'
fetch(REDIRECT_URL + encodeURIComponent(OTHER_BASE_URL + 'ACAOrigin=*'),
{mode: 'cors'})
.then(function(response){
assert_unreached('Redirected fetch should fail.');
}, function(){
t.done();
})
.catch(unreached_rejection(t));
}, 'Redirected fetch test for connect-src');'''
def main(request, response):
headers = []
headers.append((b'Content-Type', b'application/javascript'))
directive = request.GET[b'directive']
body = b'ERROR: Unknown directive'
if directive == b'default':
headers.append((b'Content-Security-Policy', b"default-src 'self'"))
body = bodyDefault
elif directive == b'script':
headers.append((b'Content-Security-Policy', b"script-src 'self'"))
body = bodyScript
elif directive == b'connect':
headers.append((b'Content-Security-Policy', b"connect-src 'self'"))
body = bodyConnect
return headers, body