OLD | NEW |
---|---|
1 <!DOCTYPE html> | 1 <!DOCTYPE html> |
2 <title>Service Worker: CSP control of fetch()</title> | 2 <title>Service Worker: CSP control of fetch()</title> |
3 <script src="/resources/testharness.js"></script> | 3 <script src="/resources/testharness.js"></script> |
4 <script src="/resources/testharnessreport.js"></script> | 4 <script src="/resources/testharnessreport.js"></script> |
5 <script src="/common/get-host-info.sub.js"></script> | 5 <script src="/common/get-host-info.sub.js"></script> |
6 <script src="resources/test-helpers.sub.js?pipe=sub"></script> | 6 <script src="resources/test-helpers.sub.js?pipe=sub"></script> |
7 <script> | 7 <script> |
8 async_test(function(t) { | 8 |
9 function assert_resolves(promise, description) { | |
10 return promise.catch(function(reason) { | |
11 throw new Error(description + ' - ' + reason.message); | |
12 }); | |
13 } | |
14 | |
15 function assert_rejects(promise, description) { | |
16 return promise.then( | |
17 function() { throw new Error(description); }, | |
18 function() {}); | |
19 } | |
20 | |
21 promise_test(function(t) { | |
9 var SCOPE = 'resources/fetch-csp-iframe.html'; | 22 var SCOPE = 'resources/fetch-csp-iframe.html'; |
10 var SCRIPT = 'resources/fetch-rewrite-worker.js'; | 23 var SCRIPT = 'resources/fetch-rewrite-worker.js'; |
11 var host_info = get_host_info(); | 24 var host_info = get_host_info(); |
12 service_worker_unregister_and_register(t, SCRIPT, SCOPE) | 25 var IMAGE_PATH = |
26 base_path() + 'resources/fetch-access-control.py?PNGIMAGE'; | |
27 var IMAGE_URL = host_info['HTTPS_ORIGIN'] + IMAGE_PATH; | |
28 var REMOTE_IMAGE_URL = host_info['HTTPS_REMOTE_ORIGIN'] + IMAGE_PATH; | |
29 var REDIRECT_URL = | |
30 host_info['HTTPS_ORIGIN'] + base_path() + 'resources/redirect.py'; | |
31 var frame; | |
32 | |
33 return service_worker_unregister_and_register(t, SCRIPT, SCOPE) | |
13 .then(function(registration) { | 34 .then(function(registration) { |
14 return wait_for_state(t, registration.installing, 'activated'); | 35 return wait_for_state(t, registration.installing, 'activated'); |
15 }) | 36 }) |
16 .then(function() { return with_iframe(SCOPE); }) | 37 .then(function() { |
17 .then(function(frame) { | 38 return with_iframe( |
18 return new Promise(function(resolve, reject) { | 39 SCOPE + '?' + |
19 var channel = new MessageChannel(); | 40 encodeURIComponent('img-src ' + host_info['HTTPS_ORIGIN'] + |
20 channel.port1.onmessage = t.step_func(function(e) { | 41 '; script-src \'unsafe-inline\'')); |
21 assert_equals(e.data.results, 'finish'); | |
22 frame.remove(); | |
23 service_worker_unregister_and_done(t, SCOPE); | |
24 }); | |
25 frame.contentWindow.postMessage({}, | |
26 host_info['HTTPS_ORIGIN'], | |
27 [channel.port2]); | |
28 }); | |
29 }) | 42 }) |
30 .catch(unreached_rejection(t)); | 43 .then(function(f) { |
44 frame = f; | |
45 return assert_resolves( | |
46 frame.contentWindow.load_image(IMAGE_URL), | |
47 'Allowed scope image resource should be loaded.'); | |
48 }) | |
49 .then(function() { | |
50 return assert_rejects( | |
51 frame.contentWindow.load_image(REMOTE_IMAGE_URL), | |
52 'Disallowed scope image resource should not be loaded.'); | |
53 }) | |
54 .then(function() { | |
55 return assert_resolves( | |
56 frame.contentWindow.load_image( | |
57 // The request for IMAGE_URL will be fetched in SW. | |
58 './dummy?url=' + encodeURIComponent(IMAGE_URL)), | |
59 'Allowed scope image resource which was fetched via SW should ' + | |
60 'be loaded.'); | |
61 }) | |
62 .then(function() { | |
63 return assert_rejects( | |
64 frame.contentWindow.load_image( | |
65 // The request for REMOTE_IMAGE_URL will be fetched in SW. | |
66 './dummy?mode=no-cors&url=' + | |
67 encodeURIComponent(REMOTE_IMAGE_URL)), | |
68 'Disallowed scope image resource which was fetched via SW ' + | |
69 'should not be loaded.'); | |
70 }) | |
71 .then(function() { | |
72 frame.remove(); | |
73 return with_iframe( | |
74 SCOPE + '?' + | |
75 encodeURIComponent( | |
76 'img-src ' + REDIRECT_URL + | |
77 '; script-src \'unsafe-inline\'')); | |
78 }) | |
79 .then(function(f) { | |
80 frame = f; | |
81 return assert_resolves( | |
82 frame.contentWindow.load_image( | |
83 // Set 'ignore' not to call respondWith() in the SW. | |
84 REDIRECT_URL + '?ignore&Redirect=' + | |
85 encodeURIComponent(IMAGE_URL)), | |
86 'When the request was redirected, CSP match algorithm should ' + | |
87 'ignore the path component of the URL.'); | |
88 }) | |
89 .then(function() { | |
90 return assert_resolves( | |
91 frame.contentWindow.load_image( | |
92 // This request will be fetched via SW and redirected by | |
93 // redirect.php. | |
94 REDIRECT_URL + '?Redirect=' + encodeURIComponent(IMAGE_URL)), | |
95 'When the request was redirected via SW, CSP match algorithm ' + | |
96 'should ignore the path component of the URL.'); | |
97 }) | |
98 .then(function() { | |
99 return assert_resolves( | |
100 frame.contentWindow.load_image( | |
101 // The request for IMAGE_URL will be fetched in SW. | |
102 REDIRECT_URL + '?url=' + encodeURIComponent(IMAGE_URL)), | |
103 'When the request was fetched via SW, CSP match algorithm ' + | |
104 'should ignore the path component of the URL.'); | |
105 }) | |
106 .then(function() { | |
107 frame.remove(); | |
108 service_worker_unregister_and_done(t, SCOPE); | |
falken
2017/04/10 14:10:51
nit: This could just be registration.unregister()
mike3
2017/04/10 16:59:34
This is a pattern we'll want to follow throughout
| |
109 }); | |
31 }, 'Verify CSP control of fetch() in a Service Worker'); | 110 }, 'Verify CSP control of fetch() in a Service Worker'); |
32 </script> | 111 </script> |
OLD | NEW |