Skip to main content

Browse the archive

https://github.com/web-platform-tests/wpt
26 December 2018, 22:31:15 UTC
Raw File
Tip revision: 9c098c2fc7eb90e7223dca4fd960f80cbbd0adbb authored by Marijn Kruisselbrink on 14 March 2018, 20:07:43 UTC
Add web platform test for uploading a file through a form.
Tip revision: 9c098c2
csp-tests.js 
function openWindow(url) {
  return new Promise(resolve => {
    const win = window.open(url, '_blank');
    add_result_callback(() => win.close());
    window.onmessage = e => {
      assert_equals(e.data, 'LOADED');
      resolve(win);
    };
  });
}

function openWindowAndExpectResult(windowURL, scriptURL, type, expectation) {
  return openWindow(windowURL).then(win => {
    const promise = new Promise(r => window.onmessage = r);
    win.postMessage({ type: type, script_url: scriptURL }, '*');
    return promise;
  }).then(msg_event => assert_equals(msg_event.data, expectation));
}

// Runs a series of tests related to content security policy on a worklet.
//
// Usage:
// runContentSecurityPolicyTests("paint");
function runContentSecurityPolicyTests(workletType) {
  promise_test(t => {
    const kWindowURL =
        'resources/addmodule-window.html?pipe=header(' +
        'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')';
    const kScriptURL =
        get_host_info().HTTPS_REMOTE_ORIGIN +
        '/worklets/resources/import-empty-worklet-script-with-cors-header.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'REJECTED');
  }, 'Importing a remote-origin worklet script should be blocked by the ' +
     'script-src \'self\' directive.');

  promise_test(t => {
    const kWindowURL =
        'resources/addmodule-window.html?pipe=header(' +
        'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')';
    const kScriptURL = 'import-remote-origin-empty-worklet-script.sub.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'REJECTED');
  }, 'Importing a remote-origin script from a same-origin worklet script ' +
     'should be blocked by the script-src \'self\' directive.');

  promise_test(t => {
    const kWindowURL =
        'resources/addmodule-window.html?pipe=header(' +
        'Content-Security-Policy, script-src * \'unsafe-inline\')';
    const kScriptURL =
        get_host_info().HTTPS_REMOTE_ORIGIN +
        '/worklets/resources/empty-worklet-script-with-cors-header.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'RESOLVED');
  }, 'Importing a remote-origin worklet script should not be blocked ' +
     'because the script-src * directive allows it.');

  promise_test(t => {
    const kWindowURL =
        'resources/addmodule-window.html?pipe=header(' +
        'Content-Security-Policy, script-src * \'unsafe-inline\')';
    // A worklet on HTTPS_REMOTE_ORIGIN will import a child script on
    // HTTPS_REMOTE_ORIGIN.
    const kScriptURL =
        get_host_info().HTTPS_REMOTE_ORIGIN +
        '/worklets/resources/import-empty-worklet-script-with-cors-header.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'RESOLVED');
  }, 'Importing a remote-origin script from a remote-origin worklet script '+
     'should not be blocked because the script-src * directive allows it.');

  promise_test(t => {
    const kWindowURL =
        'resources/addmodule-window.html?pipe=header(' +
        'Content-Security-Policy, worker-src \'self\' \'unsafe-inline\')';
    const kScriptURL =
        get_host_info().HTTPS_REMOTE_ORIGIN +
        '/worklets/resources/empty-worklet-script-with-cors-header.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'RESOLVED');
  }, 'Importing a remote-origin worklet script should not be blocked by ' +
     'the worker-src directive because worklets obey the script-src ' +
     'directive.');

  promise_test(t => {
    const kWindowURL = 'resources/addmodule-window.html';
    const kScriptURL =
        get_host_info().HTTP_ORIGIN +
        '/worklets/resources/empty-worklet-script.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'REJECTED');
  }, 'Importing an insecure-origin worklet script should be blocked because ' +
     'of mixed contents.');

  promise_test(t => {
    const kWindowURL = 'resources/addmodule-window.html?pipe=header(' +
                       'Content-Security-Policy, upgrade-insecure-requests)';
    // This test relies on some unintuitive cleverness due to WPT's test setup:
    // 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use
    // URLs in the form `http://[host]:[https-port]`. If the upgrade fails, the
    // load will fail, as we don't serve HTTP over the secure port.
    const kHost = get_host_info().ORIGINAL_HOST;
    const kPort = get_host_info().HTTPS_PORT;
    const kScriptURL =
        `http://${kHost}:${kPort}/worklets/resources/empty-worklet-script.js`;
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'RESOLVED');
  }, 'Importing an insecure-origin worklet script should not be blocked ' +
     'because the upgrade-insecure-requests directive translates it as the ' +
     'secure origin.');

  promise_test(t => {
    const kWindowURL = 'resources/addmodule-window.html';
    const kScriptURL = 'import-insecure-origin-empty-worklet-script.sub.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'REJECTED');
  }, 'Importing an insecure-origin script from a secure-origin worklet ' +
     'script should be blocked because of mixed contents.');

  promise_test(t => {
    const kWindowURL = 'resources/addmodule-window.html?pipe=header(' +
                       'Content-Security-Policy, upgrade-insecure-requests)';
    const kScriptURL = 'import-insecure-origin-empty-worklet-script.sub.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'RESOLVED');
  }, 'Importing an insecure-origin script from a secure-origin worklet ' +
     'script should not be blocked because the upgrade-insecure-requests ' +
     'directive translates it as the secure origin.');
}
back to top