tests(smoke): verify CSP violations caused by lighthouse

lighthouse-cli/test/fixtures/csp.html

@@ -0,0 +1,11 @@
+<html>
+  <head>
+    <script>
+      // Use a source map so we can test the injected iframe fetcher.
+      //# sourceMappingURL=http://localhost:10200/source-map/script.js.map
+    </script>
+  </head>
+  <body>
+    <h1>Test this page with a CSP</h1>
+  </body>
+</html>

lighthouse-cli/test/fixtures/static-server.js

@@ -17,7 +17,7 @@ const mime = require('mime-types');
 const parseQueryString = require('querystring').parse;
 const parseURL = require('url').parse;
 const URLSearchParams = require('url').URLSearchParams;
-const HEADER_SAFELIST = new Set(['x-robots-tag', 'link']);
+const HEADER_SAFELIST = new Set(['x-robots-tag', 'link', 'content-security-policy']);
 
 const lhRootDirPath = path.join(__dirname, '../../../');
 

lighthouse-cli/test/smokehouse/test-definitions/core-tests.js

@@ -88,6 +88,10 @@ const smokeTests = [{
   id: 'screenshot',
   expectations: require('./screenshot/expectations.js'),
   config: require('./screenshot/screenshot-config.js'),
+}, {
+  id: 'csp',
+  expectations: require('./csp/csp-expectations.js'),
+  config: require('./csp/csp-config.js'),
 }];
 
 module.exports = smokeTests;

lighthouse-cli/test/smokehouse/test-definitions/csp/csp-config.js

@@ -0,0 +1,11 @@
+/**
+ * @license Copyright 2021 The Lighthouse Authors. All Rights Reserved.
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+ */
+'use strict';
+
+/** @type {LH.Config.Json} */
+module.exports = {
+  extends: 'lighthouse:default',
+};

lighthouse-cli/test/smokehouse/test-definitions/csp/csp-expectations.js

@@ -0,0 +1,85 @@
+/**
+ * @license Copyright 2021 The Lighthouse Authors. All Rights Reserved.
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
+ */
+'use strict';
+
+/**
+ * @param {[string, string][]} headers
+ * @return {string}
+ */
+function headersParam(headers) {
+  const headerString = new URLSearchParams(headers).toString();
+  return new URLSearchParams([['extra_header', headerString]]).toString();
+}
+
+const blockAllExceptInlineScriptCsp = headersParam([[
+  'Content-Security-Policy',
+  'default-src \'none\'; script-src \'unsafe-inline\'',
+]]);
+
+/**
+ * @type {Array<Smokehouse.ExpectedRunnerResult>}
+ */
+module.exports = [
+  {
+    artifacts: {
+      RobotsTxt: {
+        status: 404,
+        content: null,
+      },
+      InspectorIssues: {contentSecurityPolicy: []},
+      SourceMaps: [{
+        sourceMapUrl: 'http://localhost:10200/source-map/script.js.map',
+        map: {},
+        errorMessage: undefined,
+      }],
+    },
+    lhr: {
+      requestedUrl: 'http://localhost:10200/csp.html',
+      finalUrl: 'http://localhost:10200/csp.html',
+      audits: {},
+    },
+  },
+  {
+    artifacts: {
+      RobotsTxt: {
+        status: null,
+        content: null,
+      },
+      InspectorIssues: {
+        contentSecurityPolicy: [
+          {
+            // TODO: Fix connect-src violation when fetching robots.txt.
+            // https://github.com/GoogleChrome/lighthouse/issues/10225
+            blockedURL: 'http://localhost:10200/robots.txt',
+            violatedDirective: 'connect-src',
+            isReportOnly: false,
+            contentSecurityPolicyViolationType: 'kURLViolation',
+          },
+          {
+            // TODO: Fix style-src-elem violation when checking tap targets.
+            // https://github.com/GoogleChrome/lighthouse/issues/11862
+            violatedDirective: 'style-src-elem',
+            isReportOnly: false,
+            contentSecurityPolicyViolationType: 'kInlineViolation',
+          },
+        ],
+      },
+      SourceMaps: [{
+        // TODO: Fix frame-src violation when using iframe fetcher.
+        // Doesn't trigger a CSP violation because iframe is injected after InspectorIssues gatherer finishes.
+        // https://github.com/GoogleChrome/lighthouse/pull/12044#issuecomment-788274938
+        sourceMapUrl: 'http://localhost:10200/source-map/script.js.map',
+        errorMessage: 'Error: Timed out fetching resource.',
+        map: undefined,
+      }],
+    },
+    lhr: {
+      requestedUrl: 'http://localhost:10200/csp.html?' + blockAllExceptInlineScriptCsp,
+      finalUrl: 'http://localhost:10200/csp.html?' + blockAllExceptInlineScriptCsp,
+      audits: {},
+    },
+  },
+];

lighthouse-core/gather/gatherers/seo/tap-targets.js

@@ -293,7 +293,7 @@ class TapTargets extends FRGatherer {
    * @return {Promise<LH.Artifacts.TapTarget[]>} All visible tap targets with their positions and sizes
    */
   snapshot(passContext) {
-    return passContext.driver.executionContext.evaluate(gatherTapTargets, {
+    const a = passContext.driver.executionContext.evaluate(gatherTapTargets, {
       args: [tapTargetsSelector],
       useIsolation: true,
       deps: [
@@ -312,6 +312,9 @@ class TapTargets extends FRGatherer {
         pageFunctions.getNodeLabel,
       ],
     });
+    return a.then(e => {
+      return e;
+    });
   }
 }