Chromium Code Reviews Chromium Code Reviews
Issue 2480303002:
CSP3: Implement 'worker-src'. (Closed)
| OLD | NEW |
|---|---|
| (Empty) | |
| 1 function assert_no_csp_event_for_url(test, url) { | |
| 2 document.addEventListener("securitypolicyviolation", test.step_func(e => { | |
| 3 if (e.blockedURI !== url) | |
| 4 return; | |
| 5 assert_unreached("SecurityPolicyViolation event fired for " + url); | |
| 6 })); | |
| 7 } | |
| 8 | |
| 9 function assert_no_event(test, obj, name) { | |
| 10 obj.addEventListener(name, test.unreached_func("The '" + name + "' event shoul d not have fired.")); | |
| 11 } | |
| 12 | |
| 13 function waitUntilCSPEventForURL(test, url) { | |
| 14 return new Promise((resolve, reject) => { | |
| 15 document.addEventListener("securitypolicyviolation", test.step_func(e => { | |
| 16 if (e.blockedURI == url) | |
| 17 resolve(e); | |
| 18 })); | |
| 19 }); | |
| 20 } | |
| 21 | |
| 22 function waitUntilEvent(obj, name) { | |
| 23 return new Promise((resolve, reject) => { | |
| 24 obj.addEventListener(name, resolve); | |
| 25 }); | |
| 26 } | |
| 27 | |
| 28 // Given the URL of a worker that pings its opener upon load, this | |
| 29 // function builds a test that asserts that the that the ping is | |
|
estark
2016/11/09 16:48:05
nit: extra "that the"
| |
| 30 // received, and that no CSP event fires. | |
| 31 function assert_worker_is_loaded(url, description) { | |
| 32 async_test(t => { | |
| 33 assert_no_csp_event_for_url(t, url); | |
| 34 var w = new Worker(url); | |
| 35 assert_no_event(t, w, "error"); | |
| 36 waitUntilEvent(w, "message") | |
| 37 .then(t.step_func_done(e => { | |
| 38 assert_equals(e.data, "ping"); | |
| 39 })); | |
| 40 }, description); | |
| 41 } | |
| 42 | |
| 43 function assert_shared_worker_is_loaded(url, description) { | |
| 44 async_test(t => { | |
| 45 assert_no_csp_event_for_url(t, url); | |
| 46 var w = new SharedWorker(url); | |
| 47 assert_no_event(t, w, "error"); | |
| 48 waitUntilEvent(w.port, "message") | |
| 49 .then(t.step_func_done(e => { | |
| 50 assert_equals(e.data, "ping"); | |
| 51 })); | |
| 52 w.port.start(); | |
| 53 }, description); | |
| 54 } | |
| 55 | |
| 56 function assert_service_worker_is_loaded(url, description) { | |
| 57 promise_test(t => { | |
| 58 assert_no_csp_event_for_url(t, url); | |
|
foolip
2016/11/09 16:17:52
Yep, this actually works. It looked to me like a m
| |
| 59 return Promise.all([ | |
| 60 waitUntilEvent(navigator.serviceWorker, "message") | |
| 61 .then(e => { | |
| 62 assert_equals(e.data, "ping"); | |
| 63 }), | |
| 64 navigator.serviceWorker.register(url, { scope: url }) | |
| 65 .then(r => { | |
| 66 var sw = r.active || r.installing || r.waiting; | |
| 67 t.add_cleanup(_ => r.unregister()); | |
| 68 sw.postMessage("pong?"); | |
| 69 }) | |
| 70 ]); | |
| 71 }, description); | |
| 72 } | |
| 73 | |
| 74 // Given the URL of a worker that pings its opener upon load, this | |
| 75 // function builds a test that asserts that the constructor throws | |
| 76 // a SecurityError, and that a CSP event fires. | |
| 77 function assert_worker_is_blocked(url, description) { | |
| 78 async_test(t => { | |
| 79 // If |url| is a blob, it will be stripped down to "blob" for reporting. | |
| 80 var reportedURL = new URL(url).protocol == "blob:" ? "blob" : url; | |
| 81 waitUntilCSPEventForURL(t, reportedURL) | |
| 82 .then(t.step_func_done(e => { | |
| 83 assert_equals(e.blockedURI, reportedURL); | |
| 84 assert_equals(e.violatedDirective, "worker-src"); | |
| 85 assert_equals(e.effectiveDirective, "worker-src"); | |
| 86 })); | |
| 87 | |
| 88 // TODO(mkwst): We shouldn't be throwing here. We should be firing an | |
| 89 // `error` event on the Worker. https://crbug.com/663298 | |
| 90 assert_throws("SecurityError", function () { | |
| 91 var w = new Worker(url); | |
| 92 }); | |
| 93 }, description); | |
| 94 } | |
| 95 | |
| 96 function assert_shared_worker_is_blocked(url, description) { | |
| 97 async_test(t => { | |
| 98 // If |url| is a blob, it will be stripped down to "blob" for reporting. | |
| 99 var reportedURL = new URL(url).protocol == "blob:" ? "blob" : url; | |
| 100 waitUntilCSPEventForURL(t, reportedURL) | |
| 101 .then(t.step_func_done(e => { | |
| 102 assert_equals(e.blockedURI, reportedURL); | |
| 103 assert_equals(e.violatedDirective, "worker-src"); | |
| 104 assert_equals(e.effectiveDirective, "worker-src"); | |
| 105 })); | |
| 106 | |
| 107 // TODO(mkwst): We shouldn't be throwing here. We should be firing an | |
| 108 // `error` event on the SharedWorker. https://crbug.com/663298 | |
| 109 assert_throws("SecurityError", function () { | |
| 110 var w = new SharedWorker(url); | |
| 111 }); | |
| 112 }, description); | |
| 113 } | |
| 114 | |
| 115 function assert_service_worker_is_blocked(url, description) { | |
| 116 promise_test(t => { | |
| 117 assert_no_event(t, navigator.serviceWorker, "message"); | |
| 118 // If |url| is a blob, it will be stripped down to "blob" for reporting. | |
| 119 var reportedURL = new URL(url).protocol == "blob:" ? "blob" : url; | |
| 120 return Promise.all([ | |
| 121 waitUntilCSPEventForURL(t, reportedURL) | |
| 122 .then(t.step_func_done(e => { | |
| 123 assert_equals(e.blockedURI, reportedURL); | |
| 124 assert_equals(e.violatedDirective, "worker-src"); | |
| 125 assert_equals(e.effectiveDirective, "worker-src"); | |
| 126 })), | |
| 127 promise_rejects(t, "SecurityError", navigator.serviceWorker.register(url, { scope: url })) | |
| 128 ]); | |
| 129 }, description); | |
| 130 } | |
| 131 | |
| OLD | NEW |
