dedicated-worker-import-csp.html

Enable keyboard shortcuts

This test has a WPT meta file that expects 3 subtest issues.
This WPT test may be referenced by the following Test IDs:
- /workers/modules/dedicated-worker-import-csp.html - WPT Dashboard Interop Dashboard

<!DOCTYPE html>

<title>DedicatedWorker: CSP for ES Modules</title>

<script src="/resources/testharness.js"></script>

<script src="/resources/testharnessreport.js"></script>

<script>

async function openWindow(url) {

  const win = window.open(url, '_blank');

  add_result_callback(() => win.close());

  const msg_event = await new Promise(resolve => window.onmessage = resolve);

  assert_equals(msg_event.data, 'LOADED');

  return win;

function import_csp_test(

    cspHeader, importType, expectedImportedModules, description) {

  // Append CSP header to windowURL for static import tests since static import

  // scripts should obey Window's CSP.

  const windowURL = `resources/new-worker-window.html` +

      `${importType === 'static'

          ? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')'

          : ''}`;

  // Append CSP header to scriptURL for dynamic import tests since dynamic

  // import scripts should obey Worker script's response's CSP.

  const scriptURL = `${importType}-import-remote-origin-script-worker.sub.js` +

      `${importType === 'dynamic'

          ? '?pipe=header(Content-Security-Policy, ' + cspHeader + ')'

          : ''}`;

  promise_test(async () => {

    const win = await openWindow(windowURL);

    // Ask the window to start a dedicated worker.

    win.postMessage(scriptURL, '*');

    const msg_event = await new Promise(resolve => window.onmessage = resolve);

    assert_array_equals(msg_event.data, expectedImportedModules);

  }, description);

// Tests for static import.

//

// Static import should obey the worker-src directive and the script-src

// directive. If the both directives are specified, the worker-src directive

// should be prioritized.

//

// Step 1: "If the result of executing 6.6.1.11 Get the effective directive for

// request on request is "worker-src", and policy contains a directive whose

// name is "worker-src", return "Allowed"."

// "Note: If worker-src is present, we’ll defer to it when handling worker

// requests."

// https://w3c.github.io/webappsec-csp/#script-src-pre-request

import_csp_test(

    "worker-src 'self' 'unsafe-inline'",

    "static",

    ['ERROR'],

    "worker-src 'self' directive should disallow cross origin static import.");

import_csp_test(

    "worker-src * 'unsafe-inline'",

    "static",

    ["export-on-load-script.js"],

    "worker-src * directive should allow cross origin static import.")

import_csp_test(

    "script-src 'self' 'unsafe-inline'",

    "static",

    ['ERROR'],

    "script-src 'self' directive should disallow cross origin static import.");

import_csp_test(

    "script-src * 'unsafe-inline'",

    "static",

    ["export-on-load-script.js"],

    "script-src * directive should allow cross origin static import.")

import_csp_test(

    "worker-src *; script-src 'self' 'unsafe-inline'",

    "static",

    ["export-on-load-script.js"],

    "worker-src * directive should override script-src 'self' directive and " +

        "allow cross origin static import.");

import_csp_test(

    "worker-src 'self'; script-src * 'unsafe-inline'",

    "static",

    ['ERROR'],

    "worker-src 'self' directive should override script-src * directive and " +

        "disallow cross origin static import.");

// For static imports on workers, the effective directive should be 'worker-src'.

// https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request

//

// The directive fallback list of 'worker-src' doesn't contain 'script-src-elem'

// https://w3c.github.io/webappsec-csp/#directive-fallback-list

import_csp_test(

    "script-src-elem 'self' 'unsafe-inline'",

    "static",

    ["export-on-load-script.js"],

    "script-src-elem 'self' directive should not take effect on static import.");

// Tests for dynamic import.

//

// Dynamic import should obey the script-src directive instead of the worker-src

// directive according to the specs:

//

// Dynamic import has the "script" destination.

// Step 2.4: "Fetch a module script graph given url, ..., "script", ..."

// https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability)

//

// The "script" destination should obey the script-src CSP directive.

// Step 2: "If request's destination is script-like:"

// https://w3c.github.io/webappsec-csp/#script-src-pre-request

import_csp_test(

    "script-src 'self' 'unsafe-inline'",

    "dynamic",

    ['ERROR'],

    "script-src 'self' directive should disallow cross origin dynamic import.");

// For dynamic imports, the effective directive should be 'script-src-elem'.

// https://w3c.github.io/webappsec-csp/#effective-directive-for-a-request

import_csp_test(

    "script-src-elem 'self' 'unsafe-inline'",

    "dynamic",

    ['ERROR'],

    "script-src-elem 'self' directive should disallow cross origin dynamic import.");

import_csp_test(

    "script-src * 'unsafe-inline'",

    "dynamic",

    ["export-on-load-script.js"],

    "script-src * directive should allow cross origin dynamic import.")

import_csp_test(

    "worker-src 'self' 'unsafe-inline'",

    "dynamic",

    ["export-on-load-script.js"],

    "worker-src 'self' directive should not take effect on dynamic import.");

</script>