Add redirected cases to CSP/import tests in wpt/worklets

Also this CL replaces some of empty-worklet-script.js usage in CSP tests with empty-worklet-script-with-cors-header.js to make sure worklets are rejected due to CSP, not CORS. Change-Id: Ie463d206254c4c6728a79dae0ad79e4f7e333b92
web-platform-tests · Nov 5, 2018 · c6db0ea · c6db0ea
1 parent 5ebf3e3
commit c6db0ea
Show file tree

Hide file tree

Showing 6 changed files with 182 additions and 98 deletions.
diff --git a/worklets/resources/csp-tests.js b/worklets/resources/csp-tests.js
@@ -22,109 +22,164 @@ function openWindowAndExpectResult(windowURL, scriptURL, type, expectation) {
 // Usage:
 // runContentSecurityPolicyTests("paint");
 function runContentSecurityPolicyTests(workletType) {
-  promise_test(t => {
-    const kWindowURL =
-        'resources/addmodule-window.html?pipe=header(' +
-        'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')';
-    const kScriptURL =
-        get_host_info().HTTPS_REMOTE_ORIGIN +
-        '/worklets/resources/import-empty-worklet-script-with-cors-header.js';
-    return openWindowAndExpectResult(
-        kWindowURL, kScriptURL, workletType, 'REJECTED');
-  }, 'Importing a remote-origin worklet script should be blocked by the ' +
-     'script-src \'self\' directive.');
+  runSrcTests(workletType);
+  runMixedContentTests(workletType);
+  runUpgradeInsecureRequestsTests(workletType);
+}
 
-  promise_test(t => {
-    const kWindowURL =
+// script-src and worker-src tests.
+function runSrcTests(workletType) {
+  const kWindowConfigs = [
+    {
+      'windowURL':
         'resources/addmodule-window.html?pipe=header(' +
-        'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')';
-    const kScriptURL = 'import-remote-origin-empty-worklet-script.sub.js';
-    return openWindowAndExpectResult(
-        kWindowURL, kScriptURL, workletType, 'REJECTED');
-  }, 'Importing a remote-origin script from a same-origin worklet script ' +
-     'should be blocked by the script-src \'self\' directive.');
-
-  promise_test(t => {
-    const kWindowURL =
+        'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')',
+      'crossOriginExpectation': 'REJECTED',
+      'message': 'should be blocked by the script-src \'self\' directive.'
+    },
+    {
+      'windowURL':
         'resources/addmodule-window.html?pipe=header(' +
-        'Content-Security-Policy, script-src * \'unsafe-inline\')';
-    const kScriptURL =
-        get_host_info().HTTPS_REMOTE_ORIGIN +
-        '/worklets/resources/empty-worklet-script-with-cors-header.js';
-    return openWindowAndExpectResult(
-        kWindowURL, kScriptURL, workletType, 'RESOLVED');
-  }, 'Importing a remote-origin worklet script should not be blocked ' +
-     'because the script-src * directive allows it.');
-
-  promise_test(t => {
-    const kWindowURL =
+        'Content-Security-Policy, script-src ' + location.origin + ' ' +
+        get_host_info().HTTPS_REMOTE_ORIGIN + ' \'unsafe-inline\')',
+      'crossOriginExpectation': 'RESOLVED',
+      'message':
+        'should be blocked by the script-src directive specifying the origin.'
+    },
+    {
+      'windowURL':
         'resources/addmodule-window.html?pipe=header(' +
-        'Content-Security-Policy, script-src * \'unsafe-inline\')';
-    // A worklet on HTTPS_REMOTE_ORIGIN will import a child script on
-    // HTTPS_REMOTE_ORIGIN.
-    const kScriptURL =
-        get_host_info().HTTPS_REMOTE_ORIGIN +
-        '/worklets/resources/import-empty-worklet-script-with-cors-header.js';
-    return openWindowAndExpectResult(
-        kWindowURL, kScriptURL, workletType, 'RESOLVED');
-  }, 'Importing a remote-origin script from a remote-origin worklet script '+
-     'should not be blocked because the script-src * directive allows it.');
-
-  promise_test(t => {
-    const kWindowURL =
+        'Content-Security-Policy, script-src * \'unsafe-inline\')',
+      'crossOriginExpectation': 'RESOLVED',
+      'message':
+        'should not be blocked because the script-src * directive allows it.'
+    },
+    {
+      'windowURL':
         'resources/addmodule-window.html?pipe=header(' +
-        'Content-Security-Policy, worker-src \'self\' \'unsafe-inline\')';
-    const kScriptURL =
-        get_host_info().HTTPS_REMOTE_ORIGIN +
-        '/worklets/resources/empty-worklet-script-with-cors-header.js';
-    return openWindowAndExpectResult(
-        kWindowURL, kScriptURL, workletType, 'RESOLVED');
-  }, 'Importing a remote-origin worklet script should not be blocked by ' +
-     'the worker-src directive because worklets obey the script-src ' +
-     'directive.');
+        'Content-Security-Policy, worker-src \'self\' \'unsafe-inline\')',
+      'crossOriginExpectation': 'RESOLVED',
+      'message':
+        'should not be blocked by the worker-src directive ' +
+        'because worklets obey the script-src directive.'
+    }
+  ];
+  for (const windowConfig of kWindowConfigs) {
+    promise_test(((windowConfig, t) => {
+        const kScriptURL =
+          get_host_info().HTTPS_REMOTE_ORIGIN +
+          '/worklets/resources/empty-worklet-script-with-cors-header.js';
+        return openWindowAndExpectResult(
+          windowConfig.windowURL, kScriptURL, workletType,
+          windowConfig.crossOriginExpectation);
+      }).bind(undefined, windowConfig),
+      'A remote-origin worklet ' + windowConfig.message);
 
-  promise_test(t => {
-    const kWindowURL = 'resources/addmodule-window.html';
-    const kScriptURL =
-        get_host_info().HTTP_ORIGIN +
-        '/worklets/resources/empty-worklet-script.js';
-    return openWindowAndExpectResult(
-        kWindowURL, kScriptURL, workletType, 'REJECTED');
-  }, 'Importing an insecure-origin worklet script should be blocked because ' +
-     'of mixed contents.');
+    promise_test(((windowConfig, t) => {
+        const kScriptURL = 'import-remote-origin-empty-worklet-script.sub.js';
+        return openWindowAndExpectResult(
+          windowConfig.windowURL, kScriptURL, workletType,
+          windowConfig.crossOriginExpectation);
+      }).bind(undefined, windowConfig),
+      'A same-origin worklet importing a remote-origin script ' +
+      windowConfig.message);
 
-  promise_test(t => {
-    const kWindowURL = 'resources/addmodule-window.html?pipe=header(' +
-                       'Content-Security-Policy, upgrade-insecure-requests)';
-    // This test relies on some unintuitive cleverness due to WPT's test setup:
-    // 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use
-    // URLs in the form `http://[host]:[https-port]`. If the upgrade fails, the
-    // load will fail, as we don't serve HTTP over the secure port.
-    const kHost = get_host_info().ORIGINAL_HOST;
-    const kPort = get_host_info().HTTPS_PORT;
-    const kScriptURL =
-        `http://${kHost}:${kPort}/worklets/resources/empty-worklet-script.js`;
-    return openWindowAndExpectResult(
-        kWindowURL, kScriptURL, workletType, 'RESOLVED');
-  }, 'Importing an insecure-origin worklet script should not be blocked ' +
-     'because the upgrade-insecure-requests directive translates it as the ' +
-     'secure origin.');
+    promise_test(((windowConfig, t) => {
+        // A worklet on HTTPS_REMOTE_ORIGIN will import a child script on
+        // HTTPS_REMOTE_ORIGIN.
+        const kScriptURL =
+          get_host_info().HTTPS_REMOTE_ORIGIN +
+          '/worklets/resources/import-empty-worklet-script-with-cors-header.js';
+        return openWindowAndExpectResult(
+          windowConfig.windowURL, kScriptURL, workletType,
+          windowConfig.crossOriginExpectation);
+      }).bind(undefined, windowConfig),
+      'A remote-origin worklet importing a remote-origin script ' +
+      windowConfig.message);
+
+    promise_test(((windowConfig, t) => {
+        const kScriptURL =
+          '/common/redirect.py?location=' + encodeURIComponent(
+              get_host_info().HTTPS_REMOTE_ORIGIN +
+              '/worklets/resources/empty-worklet-script-with-cors-header.js');
+        return openWindowAndExpectResult(
+          windowConfig.windowURL, kScriptURL, workletType,
+          windowConfig.crossOriginExpectation);
+      }).bind(undefined, windowConfig),
+      'A remote-origin-redirected worklet ' + windowConfig.message);
+
+    promise_test(((windowConfig, t) => {
+        const kScriptURL =
+          'import-remote-origin-redirected-empty-worklet-script.sub.js';
+        return openWindowAndExpectResult(
+          windowConfig.windowURL, kScriptURL, workletType,
+          windowConfig.crossOriginExpectation);
+      }).bind(undefined, windowConfig),
+      'A same-origin worklet importing a remote-origin-redirected script ' +
+      windowConfig.message);
+  }
+}
+
+// Mixed content tests.
+function runMixedContentTests(workletType) {
+  const kInsecureURL =
+      get_host_info().HTTP_ORIGIN +
+      '/worklets/resources/empty-worklet-script-with-cors-header.js';
+  const scriptConfigs = [
+    {URL: kInsecureURL,
+     message: 'An insecure-origin worklet'},
+    {URL: '/common/redirect.py?location=' + encodeURIComponent(kInsecureURL),
+     message: 'An insecure-origin-redirected worklet'},
+    {URL: 'import-insecure-origin-empty-worklet-script.sub.js',
+     message: 'A same-origin worklet importing an insecure-origin script'},
+    {URL: 'import-insecure-origin-redirected-empty-worklet-script.sub.js',
+     message: 'A same-origin worklet ' +
+              'importing an insecure-origin-redirected script'}
+  ];
+  for (const scriptConfig of scriptConfigs) {
+    promise_test(((scriptConfig, t) => {
+        const kWindowURL = 'resources/addmodule-window.html';
+        return openWindowAndExpectResult(
+          kWindowURL, scriptConfig.URL, workletType, 'REJECTED');
+      }).bind(undefined, scriptConfig),
+      scriptConfig.message + ' should be blocked because of mixed contents.');
+  }
+}
 
-  promise_test(t => {
-    const kWindowURL = 'resources/addmodule-window.html';
-    const kScriptURL = 'import-insecure-origin-empty-worklet-script.sub.js';
-    return openWindowAndExpectResult(
-        kWindowURL, kScriptURL, workletType, 'REJECTED');
-  }, 'Importing an insecure-origin script from a secure-origin worklet ' +
-     'script should be blocked because of mixed contents.');
+// upgrade-insecure-requests tests.
+function runUpgradeInsecureRequestsTests(workletType) {
+  // |kToBeUpgradedURL| is expected to upgraded/loaded successfully with
+  // upgrade-insecure-requests is specified.
+  // This relies on some unintuitive cleverness due to WPT's test setup:
+  // 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use
+  // URLs in the form `http://[host]:[https-port]`. If the upgrade fails, the
+  // load will fail, as we don't serve HTTP over the secure port.
+  const kHost = get_host_info().ORIGINAL_HOST;
+  const kPort = get_host_info().HTTPS_PORT;
+  const kToBeUpgradedURL =
+      `http://${kHost}:${kPort}/worklets/resources/empty-worklet-script-with-cors-header.js`;
 
-  promise_test(t => {
-    const kWindowURL = 'resources/addmodule-window.html?pipe=header(' +
-                       'Content-Security-Policy, upgrade-insecure-requests)';
-    const kScriptURL = 'import-insecure-origin-empty-worklet-script.sub.js';
-    return openWindowAndExpectResult(
-        kWindowURL, kScriptURL, workletType, 'RESOLVED');
-  }, 'Importing an insecure-origin script from a secure-origin worklet ' +
-     'script should not be blocked because the upgrade-insecure-requests ' +
-     'directive translates it as the secure origin.');
+  const scriptConfigs = [
+    {URL: kToBeUpgradedURL,
+     message: 'An insecure-origin worklet'},
+    {URL: '/common/redirect.py?location=' +
+          encodeURIComponent(kToBeUpgradedURL),
+     message: 'An insecure-origin-redirected worklet'},
+    {URL: 'import-insecure-origin-empty-worklet-script.sub.js',
+     message: 'A same-origin worklet importing an insecure-origin script'},
+    {URL: 'import-insecure-origin-redirected-empty-worklet-script.sub.js',
+     message: 'A same-origin worklet ' +
+              'importing an insecure-origin-redirected script'}
+  ];
+  for (const scriptConfig of scriptConfigs) {
+    promise_test(((scriptConfig, t) => {
+        const kWindowURL =
+          'resources/addmodule-window.html?pipe=header(' +
+          'Content-Security-Policy, upgrade-insecure-requests)';
+        return openWindowAndExpectResult(
+          kWindowURL, scriptConfig.URL, workletType, 'RESOLVED');
+      }).bind(undefined, scriptConfig),
+      scriptConfig.message +
+      ' should not be blocked because of upgrade-insecure-requests.');
+  }
 }
diff --git a/worklets/resources/import-insecure-origin-empty-worklet-script.sub.js b/worklets/resources/import-insecure-origin-empty-worklet-script.sub.js
@@ -2,4 +2,4 @@
 // 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use URLs
 // in the form `http://[host]:[https-port]`. If the upgrade fails, the load will
 // fail, as we don't serve HTTP over the secure port.
-import 'http://{{host}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script.js';
+import 'http://{{host}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script-with-cors-header.js';
diff --git a/worklets/resources/import-insecure-origin-redirected-empty-worklet-script.sub.js b/worklets/resources/import-insecure-origin-redirected-empty-worklet-script.sub.js
@@ -0,0 +1,5 @@
+// Some tests rely on some unintuitive cleverness due to WPT's test setup:
+// 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use URLs
+// in the form `http://[host]:[https-port]`. If the upgrade fails, the load will
+// fail, as we don't serve HTTP over the secure port.
+import '/common/redirect.py?location=http://{{host}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script-with-cors-header.js';
diff --git a/worklets/resources/import-remote-origin-empty-worklet-script.sub.js b/worklets/resources/import-remote-origin-empty-worklet-script.sub.js
@@ -1 +1 @@
-import 'https://{{domains[www1]}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script.js';
+import 'https://{{domains[www1]}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script-with-cors-header.js';
diff --git a/worklets/resources/import-remote-origin-redirected-empty-worklet-script.sub.js b/worklets/resources/import-remote-origin-redirected-empty-worklet-script.sub.js
@@ -0,0 +1 @@
+import '/common/redirect.py?location=https://{{domains[www1]}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script-with-cors-header.js';
diff --git a/worklets/resources/import-tests.js b/worklets/resources/import-tests.js
@@ -114,6 +114,29 @@ function runImportTests(worklet_type) {
     }, 'Importing a cross origin resource without the ' +
        'Access-Control-Allow-Origin header should reject the given promise');
 
+    promise_test(() => {
+        const kScriptURL = get_host_info().HTTPS_REMOTE_ORIGIN +
+                           '/worklets/resources/empty-worklet-script.js' +
+                           '?pipe=header(Access-Control-Allow-Origin, ' +
+                           location.origin + ')';
+        return worklet.addModule('/common/redirect.py?location=' +
+                                 encodeURIComponent(kScriptURL))
+          .then(undefined_arg => {
+              assert_equals(undefined_arg, undefined);
+          });
+    }, 'Importing a cross-origin-redirected resource with the ' +
+       'Access-Control-Allow-Origin header should resolve the given promise');
+
+    promise_test(t => {
+        const kScriptURL = get_host_info().HTTPS_REMOTE_ORIGIN +
+                           '/worklets/resources/empty-worklet-script.js';
+        return promise_rejects(t, new DOMException('', 'AbortError'),
+                               worklet.addModule(
+                                   '/common/redirect.py?location=' +
+                                   encodeURIComponent(kScriptURL)));
+    }, 'Importing a cross-origin-redirected resource without the ' +
+       'Access-Control-Allow-Origin header should reject the given promise');
+
     promise_test(t => {
         const kScriptURL = 'resources/syntax-error-worklet-script.js';
         return promise_rejects(t, new DOMException('', 'AbortError'),