Skip to content

Commit

Permalink
Add redirected cases to CSP/import tests in wpt/worklets
Browse files Browse the repository at this point in the history
Also this CL replaces some of empty-worklet-script.js usage
in CSP tests with empty-worklet-script-with-cors-header.js
to make sure worklets are rejected due to CSP, not CORS.

Change-Id: Ie463d206254c4c6728a79dae0ad79e4f7e333b92
  • Loading branch information
hiroshige-g authored and chromium-wpt-export-bot committed Nov 8, 2018
1 parent b207ce6 commit f41165f
Show file tree
Hide file tree
Showing 6 changed files with 182 additions and 98 deletions.
247 changes: 151 additions & 96 deletions worklets/resources/csp-tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -22,109 +22,164 @@ function openWindowAndExpectResult(windowURL, scriptURL, type, expectation) {
// Usage:
// runContentSecurityPolicyTests("paint");
function runContentSecurityPolicyTests(workletType) {
promise_test(t => {
const kWindowURL =
'resources/addmodule-window.html?pipe=header(' +
'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')';
const kScriptURL =
get_host_info().HTTPS_REMOTE_ORIGIN +
'/worklets/resources/import-empty-worklet-script-with-cors-header.js';
return openWindowAndExpectResult(
kWindowURL, kScriptURL, workletType, 'REJECTED');
}, 'Importing a remote-origin worklet script should be blocked by the ' +
'script-src \'self\' directive.');
runSrcTests(workletType);
runMixedContentTests(workletType);
runUpgradeInsecureRequestsTests(workletType);
}

promise_test(t => {
const kWindowURL =
// script-src and worker-src tests.
function runSrcTests(workletType) {
const kWindowConfigs = [
{
'windowURL':
'resources/addmodule-window.html?pipe=header(' +
'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')';
const kScriptURL = 'import-remote-origin-empty-worklet-script.sub.js';
return openWindowAndExpectResult(
kWindowURL, kScriptURL, workletType, 'REJECTED');
}, 'Importing a remote-origin script from a same-origin worklet script ' +
'should be blocked by the script-src \'self\' directive.');

promise_test(t => {
const kWindowURL =
'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')',
'crossOriginExpectation': 'REJECTED',
'message': 'should be blocked by the script-src \'self\' directive.'
},
{
'windowURL':
'resources/addmodule-window.html?pipe=header(' +
'Content-Security-Policy, script-src * \'unsafe-inline\')';
const kScriptURL =
get_host_info().HTTPS_REMOTE_ORIGIN +
'/worklets/resources/empty-worklet-script-with-cors-header.js';
return openWindowAndExpectResult(
kWindowURL, kScriptURL, workletType, 'RESOLVED');
}, 'Importing a remote-origin worklet script should not be blocked ' +
'because the script-src * directive allows it.');

promise_test(t => {
const kWindowURL =
'Content-Security-Policy, script-src ' + location.origin + ' ' +
get_host_info().HTTPS_REMOTE_ORIGIN + ' \'unsafe-inline\')',
'crossOriginExpectation': 'RESOLVED',
'message':
'should be blocked by the script-src directive specifying the origin.'
},
{
'windowURL':
'resources/addmodule-window.html?pipe=header(' +
'Content-Security-Policy, script-src * \'unsafe-inline\')';
// A worklet on HTTPS_REMOTE_ORIGIN will import a child script on
// HTTPS_REMOTE_ORIGIN.
const kScriptURL =
get_host_info().HTTPS_REMOTE_ORIGIN +
'/worklets/resources/import-empty-worklet-script-with-cors-header.js';
return openWindowAndExpectResult(
kWindowURL, kScriptURL, workletType, 'RESOLVED');
}, 'Importing a remote-origin script from a remote-origin worklet script '+
'should not be blocked because the script-src * directive allows it.');

promise_test(t => {
const kWindowURL =
'Content-Security-Policy, script-src * \'unsafe-inline\')',
'crossOriginExpectation': 'RESOLVED',
'message':
'should not be blocked because the script-src * directive allows it.'
},
{
'windowURL':
'resources/addmodule-window.html?pipe=header(' +
'Content-Security-Policy, worker-src \'self\' \'unsafe-inline\')';
const kScriptURL =
get_host_info().HTTPS_REMOTE_ORIGIN +
'/worklets/resources/empty-worklet-script-with-cors-header.js';
return openWindowAndExpectResult(
kWindowURL, kScriptURL, workletType, 'RESOLVED');
}, 'Importing a remote-origin worklet script should not be blocked by ' +
'the worker-src directive because worklets obey the script-src ' +
'directive.');
'Content-Security-Policy, worker-src \'self\' \'unsafe-inline\')',
'crossOriginExpectation': 'RESOLVED',
'message':
'should not be blocked by the worker-src directive ' +
'because worklets obey the script-src directive.'
}
];
for (const windowConfig of kWindowConfigs) {
promise_test(t => {
const kScriptURL =
get_host_info().HTTPS_REMOTE_ORIGIN +
'/worklets/resources/empty-worklet-script-with-cors-header.js';
return openWindowAndExpectResult(
windowConfig.windowURL, kScriptURL, workletType,
windowConfig.crossOriginExpectation);
},
'A remote-origin worklet ' + windowConfig.message);

promise_test(t => {
const kWindowURL = 'resources/addmodule-window.html';
const kScriptURL =
get_host_info().HTTP_ORIGIN +
'/worklets/resources/empty-worklet-script.js';
return openWindowAndExpectResult(
kWindowURL, kScriptURL, workletType, 'REJECTED');
}, 'Importing an insecure-origin worklet script should be blocked because ' +
'of mixed contents.');
promise_test(t => {
const kScriptURL = 'import-remote-origin-empty-worklet-script.sub.js';
return openWindowAndExpectResult(
windowConfig.windowURL, kScriptURL, workletType,
windowConfig.crossOriginExpectation);
},
'A same-origin worklet importing a remote-origin script ' +
windowConfig.message);

promise_test(t => {
const kWindowURL = 'resources/addmodule-window.html?pipe=header(' +
'Content-Security-Policy, upgrade-insecure-requests)';
// This test relies on some unintuitive cleverness due to WPT's test setup:
// 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use
// URLs in the form `http://[host]:[https-port]`. If the upgrade fails, the
// load will fail, as we don't serve HTTP over the secure port.
const kHost = get_host_info().ORIGINAL_HOST;
const kPort = get_host_info().HTTPS_PORT;
const kScriptURL =
`http://${kHost}:${kPort}/worklets/resources/empty-worklet-script.js`;
return openWindowAndExpectResult(
kWindowURL, kScriptURL, workletType, 'RESOLVED');
}, 'Importing an insecure-origin worklet script should not be blocked ' +
'because the upgrade-insecure-requests directive translates it as the ' +
'secure origin.');
promise_test(t => {
// A worklet on HTTPS_REMOTE_ORIGIN will import a child script on
// HTTPS_REMOTE_ORIGIN.
const kScriptURL =
get_host_info().HTTPS_REMOTE_ORIGIN +
'/worklets/resources/import-empty-worklet-script-with-cors-header.js';
return openWindowAndExpectResult(
windowConfig.windowURL, kScriptURL, workletType,
windowConfig.crossOriginExpectation);
},
'A remote-origin worklet importing a remote-origin script ' +
windowConfig.message);

promise_test(t => {
const kScriptURL =
'/common/redirect.py?location=' + encodeURIComponent(
get_host_info().HTTPS_REMOTE_ORIGIN +
'/worklets/resources/empty-worklet-script-with-cors-header.js');
return openWindowAndExpectResult(
windowConfig.windowURL, kScriptURL, workletType,
windowConfig.crossOriginExpectation);
},
'A remote-origin-redirected worklet ' + windowConfig.message);

promise_test(t => {
const kScriptURL =
'import-remote-origin-redirected-empty-worklet-script.sub.js';
return openWindowAndExpectResult(
windowConfig.windowURL, kScriptURL, workletType,
windowConfig.crossOriginExpectation);
},
'A same-origin worklet importing a remote-origin-redirected script ' +
windowConfig.message);
}
}

// Mixed content tests.
function runMixedContentTests(workletType) {
const kInsecureURL =
get_host_info().HTTP_ORIGIN +
'/worklets/resources/empty-worklet-script-with-cors-header.js';
const scriptConfigs = [
{URL: kInsecureURL,
message: 'An insecure-origin worklet'},
{URL: '/common/redirect.py?location=' + encodeURIComponent(kInsecureURL),
message: 'An insecure-origin-redirected worklet'},
{URL: 'import-insecure-origin-empty-worklet-script.sub.js',
message: 'A same-origin worklet importing an insecure-origin script'},
{URL: 'import-insecure-origin-redirected-empty-worklet-script.sub.js',
message: 'A same-origin worklet ' +
'importing an insecure-origin-redirected script'}
];
for (const scriptConfig of scriptConfigs) {
promise_test(t => {
const kWindowURL = 'resources/addmodule-window.html';
return openWindowAndExpectResult(
kWindowURL, scriptConfig.URL, workletType, 'REJECTED');
},
scriptConfig.message + ' should be blocked because of mixed contents.');
}
}

promise_test(t => {
const kWindowURL = 'resources/addmodule-window.html';
const kScriptURL = 'import-insecure-origin-empty-worklet-script.sub.js';
return openWindowAndExpectResult(
kWindowURL, kScriptURL, workletType, 'REJECTED');
}, 'Importing an insecure-origin script from a secure-origin worklet ' +
'script should be blocked because of mixed contents.');
// upgrade-insecure-requests tests.
function runUpgradeInsecureRequestsTests(workletType) {
// |kToBeUpgradedURL| is expected to upgraded/loaded successfully with
// upgrade-insecure-requests is specified.
// This relies on some unintuitive cleverness due to WPT's test setup:
// 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use
// URLs in the form `http://[host]:[https-port]`. If the upgrade fails, the
// load will fail, as we don't serve HTTP over the secure port.
const kHost = get_host_info().ORIGINAL_HOST;
const kPort = get_host_info().HTTPS_PORT;
const kToBeUpgradedURL =
`http://${kHost}:${kPort}/worklets/resources/empty-worklet-script-with-cors-header.js`;

promise_test(t => {
const kWindowURL = 'resources/addmodule-window.html?pipe=header(' +
'Content-Security-Policy, upgrade-insecure-requests)';
const kScriptURL = 'import-insecure-origin-empty-worklet-script.sub.js';
return openWindowAndExpectResult(
kWindowURL, kScriptURL, workletType, 'RESOLVED');
}, 'Importing an insecure-origin script from a secure-origin worklet ' +
'script should not be blocked because the upgrade-insecure-requests ' +
'directive translates it as the secure origin.');
const scriptConfigs = [
{URL: kToBeUpgradedURL,
message: 'An insecure-origin worklet'},
{URL: '/common/redirect.py?location=' +
encodeURIComponent(kToBeUpgradedURL),
message: 'An insecure-origin-redirected worklet'},
{URL: 'import-insecure-origin-empty-worklet-script.sub.js',
message: 'A same-origin worklet importing an insecure-origin script'},
{URL: 'import-insecure-origin-redirected-empty-worklet-script.sub.js',
message: 'A same-origin worklet ' +
'importing an insecure-origin-redirected script'}
];
for (const scriptConfig of scriptConfigs) {
promise_test(t => {
const kWindowURL =
'resources/addmodule-window.html?pipe=header(' +
'Content-Security-Policy, upgrade-insecure-requests)';
return openWindowAndExpectResult(
kWindowURL, scriptConfig.URL, workletType, 'RESOLVED');
},
scriptConfig.message +
' should not be blocked because of upgrade-insecure-requests.');
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@
// 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use URLs
// in the form `http://[host]:[https-port]`. If the upgrade fails, the load will
// fail, as we don't serve HTTP over the secure port.
import 'http://{{host}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script.js';
import 'http://{{host}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script-with-cors-header.js';
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
// Some tests rely on some unintuitive cleverness due to WPT's test setup:
// 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use URLs
// in the form `http://[host]:[https-port]`. If the upgrade fails, the load will
// fail, as we don't serve HTTP over the secure port.
import '/common/redirect.py?location=http://{{host}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script-with-cors-header.js';
Original file line number Diff line number Diff line change
@@ -1 +1 @@
import 'https://{{domains[www1]}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script.js';
import 'https://{{domains[www1]}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script-with-cors-header.js';
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
import '/common/redirect.py?location=https://{{domains[www1]}}:{{ports[https][0]}}/worklets/resources/empty-worklet-script-with-cors-header.js';
23 changes: 23 additions & 0 deletions worklets/resources/import-tests.js
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,29 @@ function runImportTests(worklet_type) {
}, 'Importing a cross origin resource without the ' +
'Access-Control-Allow-Origin header should reject the given promise');

promise_test(() => {
const kScriptURL = get_host_info().HTTPS_REMOTE_ORIGIN +
'/worklets/resources/empty-worklet-script.js' +
'?pipe=header(Access-Control-Allow-Origin, ' +
location.origin + ')';
return worklet.addModule('/common/redirect.py?location=' +
encodeURIComponent(kScriptURL))
.then(undefined_arg => {
assert_equals(undefined_arg, undefined);
});
}, 'Importing a cross-origin-redirected resource with the ' +
'Access-Control-Allow-Origin header should resolve the given promise');

promise_test(t => {
const kScriptURL = get_host_info().HTTPS_REMOTE_ORIGIN +
'/worklets/resources/empty-worklet-script.js';
return promise_rejects(t, new DOMException('', 'AbortError'),
worklet.addModule(
'/common/redirect.py?location=' +
encodeURIComponent(kScriptURL)));
}, 'Importing a cross-origin-redirected resource without the ' +
'Access-Control-Allow-Origin header should reject the given promise');

promise_test(t => {
const kScriptURL = 'resources/syntax-error-worklet-script.js';
return promise_rejects(t, new DOMException('', 'AbortError'),
Expand Down

0 comments on commit f41165f

Please sign in to comment.