csp-tests.js - mozsearch

Enable keyboard shortcuts

function openWindow(url) {

  return new Promise(resolve => {

    const win = window.open(url, '_blank');

    add_result_callback(() => win.close());

    window.onmessage = e => {

      assert_equals(e.data, 'LOADED');

      resolve(win);

};

});

function openWindowAndExpectResult(windowURL, scriptURL, type, expectation) {

  return openWindow(windowURL).then(win => {

    const promise = new Promise(r => window.onmessage = r);

    win.postMessage({ type: type, script_url: scriptURL }, '*');

    return promise;

  }).then(msg_event => assert_equals(msg_event.data, expectation));

// Runs a series of tests related to content security policy on a worklet.

//

// Usage:

// runContentSecurityPolicyTests("paint");

function runContentSecurityPolicyTests(workletType) {

  runSrcTests(workletType);

  runMixedContentTests(workletType);

// script-src and worker-src tests.

function runSrcTests(workletType) {

  const kWindowConfigs = [

      'windowURL':

        'resources/addmodule-window.html?pipe=header(' +

        'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')',

      'crossOriginExpectation': 'REJECTED',

      'message': 'should be blocked by the script-src \'self\' directive.'

},

      'windowURL':

        'resources/addmodule-window.html?pipe=header(' +

        'Content-Security-Policy, script-src ' + location.origin + ' ' +

        get_host_info().HTTPS_REMOTE_ORIGIN + ' \'unsafe-inline\')',

      'crossOriginExpectation': 'RESOLVED',

      'message':

        'should not be blocked because the script-src directive ' +

        'specifying the origin allows it.'

},

      'windowURL':

        'resources/addmodule-window.html?pipe=header(' +

        'Content-Security-Policy, script-src * \'unsafe-inline\')',

      'crossOriginExpectation': 'RESOLVED',

      'message':

        'should not be blocked because the script-src * directive allows it.'

},

      'windowURL':

        'resources/addmodule-window.html?pipe=header(' +

        'Content-Security-Policy, worker-src \'self\' \'unsafe-inline\')',

      'crossOriginExpectation': 'RESOLVED',

      'message':

        'should not be blocked by the worker-src directive ' +

        'because worklets obey the script-src directive.'

];

  for (const windowConfig of kWindowConfigs) {

    promise_test(t => {

        const kScriptURL =

          get_host_info().HTTPS_REMOTE_ORIGIN +

          '/worklets/resources/empty-worklet-script-with-cors-header.js';

        return openWindowAndExpectResult(

          windowConfig.windowURL, kScriptURL, workletType,

          windowConfig.crossOriginExpectation);

},

      'A remote-origin worklet ' + windowConfig.message);

    promise_test(t => {

        const kScriptURL = 'import-remote-origin-empty-worklet-script.sub.js';

        return openWindowAndExpectResult(

          windowConfig.windowURL, kScriptURL, workletType,

          windowConfig.crossOriginExpectation);

},

      'A same-origin worklet importing a remote-origin script ' +

      windowConfig.message);

    promise_test(t => {

        // A worklet on HTTPS_REMOTE_ORIGIN will import a child script on

        // HTTPS_REMOTE_ORIGIN.

        const kScriptURL =

          get_host_info().HTTPS_REMOTE_ORIGIN +

          '/worklets/resources/import-empty-worklet-script-with-cors-header.js';

        return openWindowAndExpectResult(

          windowConfig.windowURL, kScriptURL, workletType,

          windowConfig.crossOriginExpectation);

},

      'A remote-origin worklet importing a remote-origin script ' +

      windowConfig.message);

    promise_test(t => {

        const kScriptURL =

          '/common/redirect.py?location=' + encodeURIComponent(

              get_host_info().HTTPS_REMOTE_ORIGIN +

              '/worklets/resources/empty-worklet-script-with-cors-header.js');

        return openWindowAndExpectResult(

          windowConfig.windowURL, kScriptURL, workletType,

          windowConfig.crossOriginExpectation);

},

      'A remote-origin-redirected worklet ' + windowConfig.message);

    promise_test(t => {

        const kScriptURL =

          'import-remote-origin-redirected-empty-worklet-script.sub.js';

        return openWindowAndExpectResult(

          windowConfig.windowURL, kScriptURL, workletType,

          windowConfig.crossOriginExpectation);

},

      'A same-origin worklet importing a remote-origin-redirected script ' +

      windowConfig.message);

// Mixed content tests.

function runMixedContentTests(workletType) {

  const kInsecureURL =

      get_host_info().HTTP_ORIGIN +

      '/worklets/resources/empty-worklet-script-with-cors-header.js';

  const kScriptConfigs = [

    {URL: kInsecureURL,

     message: 'An insecure-origin worklet'},

    {URL: '/common/redirect.py?location=' + encodeURIComponent(kInsecureURL),

     message: 'An insecure-origin-redirected worklet'},

    {URL: 'import-insecure-origin-empty-worklet-script.sub.js',

     message: 'A same-origin worklet importing an insecure-origin script'},

    {URL: 'import-insecure-origin-redirected-empty-worklet-script.sub.js',

     message: 'A same-origin worklet ' +

              'importing an insecure-origin-redirected script'}

];

  for (const scriptConfig of kScriptConfigs) {

    promise_test(t => {

        const kWindowURL = 'resources/addmodule-window.html';

        return openWindowAndExpectResult(

          kWindowURL, scriptConfig.URL, workletType, 'REJECTED');

},

      scriptConfig.message + ' should be blocked because of mixed contents.');