| OLD | NEW |
|---|
| 1 <!DOCTYPE html> | 1 <!DOCTYPE html> |
| 2 <title>Service Worker: CSP control of fetch()</title> | 2 <title>Service Worker: CSP control of fetch()</title> |
| 3 <script src="../resources/testharness.js"></script> | 3 <script src="../resources/testharness.js"></script> |
| 4 <script src="../resources/testharnessreport.js"></script> | 4 <script src="../resources/testharnessreport.js"></script> |
| 5 <script src="../resources/get-host-info.js"></script> | 5 <script src="../resources/get-host-info.js?pipe=sub"></script> |
| 6 <script src="resources/test-helpers.js?pipe=sub"></script> | 6 <script src="resources/test-helpers.js"></script> |
| 7 <script> | 7 <script> |
| 8 async_test(function(t) { | 8 |
| 9 function assert_resolves(promise, description) { |
| 10 return promise.catch(function(reason) { |
| 11 throw new Error(description + ' - ' + reason.message); |
| 12 }); |
| 13 } |
| 14 |
| 15 function assert_rejects(promise, description) { |
| 16 return promise.then( |
| 17 function() { throw new Error(description); }, |
| 18 function() {}); |
| 19 } |
| 20 |
| 21 promise_test(function(t) { |
| 9 var SCOPE = 'resources/fetch-csp-iframe.html'; | 22 var SCOPE = 'resources/fetch-csp-iframe.html'; |
| 10 var SCRIPT = 'resources/fetch-rewrite-worker.js'; | 23 var SCRIPT = 'resources/fetch-rewrite-worker.js'; |
| 11 var host_info = get_host_info(); | 24 var host_info = get_host_info(); |
| 12 service_worker_unregister_and_register(t, SCRIPT, SCOPE) | 25 var IMAGE_PATH = |
| 26 base_path() + 'resources/fetch-access-control.php?PNGIMAGE'; |
| 27 var IMAGE_URL = host_info['HTTP_ORIGIN'] + IMAGE_PATH; |
| 28 var REMOTE_IMAGE_URL = host_info['HTTP_REMOTE_ORIGIN'] + IMAGE_PATH; |
| 29 var REDIRECT_URL = |
| 30 host_info['HTTP_ORIGIN'] + base_path() + 'resources/redirect.php'; |
| 31 var frame; |
| 32 |
| 33 return service_worker_unregister_and_register(t, SCRIPT, SCOPE) |
| 13 .then(function(registration) { | 34 .then(function(registration) { |
| 14 return wait_for_state(t, registration.installing, 'activated'); | 35 return wait_for_state(t, registration.installing, 'activated'); |
| 15 }) | 36 }) |
| 16 .then(function() { return with_iframe(SCOPE); }) | 37 .then(function() { |
| 17 .then(function(frame) { | 38 return with_iframe( |
| 18 return new Promise(function(resolve, reject) { | 39 SCOPE + '?' + |
| 19 var channel = new MessageChannel(); | 40 encodeURIComponent('img-src ' + host_info['HTTP_ORIGIN'] + |
| 20 channel.port1.onmessage = t.step_func(function(e) { | 41 '; script-src \'unsafe-inline\'')); |
| 21 assert_equals(e.data.results, 'finish'); | |
| 22 service_worker_unregister_and_done(t, SCOPE); | |
| 23 }); | |
| 24 frame.contentWindow.postMessage({}, | |
| 25 host_info['HTTP_ORIGIN'], | |
| 26 [channel.port2]); | |
| 27 }); | |
| 28 }) | 42 }) |
| 29 .catch(unreached_rejection(t)); | 43 .then(function(f) { |
| 44 frame = f; |
| 45 return assert_resolves( |
| 46 frame.contentWindow.load_image(IMAGE_URL), |
| 47 'Allowed scope image resource should be loaded.'); |
| 48 }) |
| 49 .then(function() { |
| 50 return assert_rejects( |
| 51 frame.contentWindow.load_image(REMOTE_IMAGE_URL), |
| 52 'Disallowed scope image resource should not be loaded.'); |
| 53 }) |
| 54 .then(function() { |
| 55 return assert_resolves( |
| 56 frame.contentWindow.load_image( |
| 57 // The request for IMAGE_URL will be fetched in SW. |
| 58 './dummy?url=' + encodeURIComponent(IMAGE_URL)), |
| 59 'Allowed scope image resource which was fetched via SW should ' + |
| 60 'be loaded.'); |
| 61 }) |
| 62 .then(function() { |
| 63 return assert_rejects( |
| 64 frame.contentWindow.load_image( |
| 65 // The request for REMOTE_IMAGE_URL will be fetched in SW. |
| 66 './dummy?mode=no-cors&url=' + |
| 67 encodeURIComponent(REMOTE_IMAGE_URL)), |
| 68 'Disallowed scope image resource which was fetched via SW ' + |
| 69 'should not be loaded.'); |
| 70 }) |
| 71 .then(function() { |
| 72 frame.remove(); |
| 73 return with_iframe( |
| 74 SCOPE + '?' + |
| 75 encodeURIComponent( |
| 76 'img-src ' + REDIRECT_URL + |
| 77 '; script-src \'unsafe-inline\'')); |
| 78 }) |
| 79 .then(function(f) { |
| 80 frame = f; |
| 81 return assert_resolves( |
| 82 frame.contentWindow.load_image( |
| 83 // Set 'ignore' not to call respondWith() in the SW. |
| 84 REDIRECT_URL + '?ignore&Redirect=' + |
| 85 encodeURIComponent(IMAGE_URL)), |
| 86 'When the request was redirected, CSP match algorithm should ' + |
| 87 'ignore the path component of the URL.'); |
| 88 }) |
| 89 .then(function() { |
| 90 return assert_resolves( |
| 91 frame.contentWindow.load_image( |
| 92 // This request will be fetched via SW and redirected by |
| 93 // redirect.php. |
| 94 REDIRECT_URL + '?Redirect=' + encodeURIComponent(IMAGE_URL)), |
| 95 'When the request was redirected via SW, CSP match algorithm ' + |
| 96 'should ignore the path component of the URL.'); |
| 97 }) |
| 98 .then(function() { |
| 99 return assert_resolves( |
| 100 frame.contentWindow.load_image( |
| 101 // The request for IMAGE_URL will be fetched in SW. |
| 102 REDIRECT_URL + '?url=' + encodeURIComponent(IMAGE_URL)), |
| 103 'When the request was fetched via SW, CSP match algorithm ' + |
| 104 'should ignore the path component of the URL.'); |
| 105 }) |
| 106 .then(function() { |
| 107 frame.remove(); |
| 108 service_worker_unregister_and_done(t, SCOPE); |
| 109 }); |
| 30 }, 'Verify CSP control of fetch() in a Service Worker'); | 110 }, 'Verify CSP control of fetch() in a Service Worker'); |
| 31 </script> | 111 </script> |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 1454003003:
[CSP] Don't check the path component of the URL when the response was fetched via ServiceWorker. (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master