Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(8)

Unified Diff: third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-csp.html

Issue 1454003003: [CSP] Don't check the path component of the URL when the response was fetched via ServiceWorker. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Created 5 years, 1 month ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
Index: third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-csp.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-csp.html b/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-csp.html
index 9ab88988136eb6017727fa5616687f73bb3e7013..032ae7afdacaa83e48be7ef27a7b9ff4b41b88f4 100644
--- a/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-csp.html
+++ b/third_party/WebKit/LayoutTests/http/tests/serviceworker/fetch-csp.html
@@ -2,30 +2,110 @@
<title>Service Worker: CSP control of fetch()</title>
<script src="../resources/testharness.js"></script>
<script src="../resources/testharnessreport.js"></script>
-<script src="../resources/get-host-info.js"></script>
-<script src="resources/test-helpers.js?pipe=sub"></script>
+<script src="../resources/get-host-info.js?pipe=sub"></script>
+<script src="resources/test-helpers.js"></script>
<script>
-async_test(function(t) {
+
+function assert_resolves(promise, description) {
+ return promise.catch(function(reason) {
+ throw new Error(description + ' - ' + reason.message);
+ });
+}
+
+function assert_rejects(promise, description) {
+ return promise.then(
+ function() { throw new Error(description); },
+ function() {});
+}
+
+promise_test(function(t) {
var SCOPE = 'resources/fetch-csp-iframe.html';
var SCRIPT = 'resources/fetch-rewrite-worker.js';
var host_info = get_host_info();
- service_worker_unregister_and_register(t, SCRIPT, SCOPE)
+ var IMAGE_PATH =
+ base_path() + 'resources/fetch-access-control.php?PNGIMAGE';
+ var IMAGE_URL = host_info['HTTP_ORIGIN'] + IMAGE_PATH;
+ var REMOTE_IMAGE_URL = host_info['HTTP_REMOTE_ORIGIN'] + IMAGE_PATH;
+ var REDIRECT_URL =
+ host_info['HTTP_ORIGIN'] + base_path() + 'resources/redirect.php';
+ var frame;
+
+ return service_worker_unregister_and_register(t, SCRIPT, SCOPE)
.then(function(registration) {
return wait_for_state(t, registration.installing, 'activated');
})
- .then(function() { return with_iframe(SCOPE); })
- .then(function(frame) {
- return new Promise(function(resolve, reject) {
- var channel = new MessageChannel();
- channel.port1.onmessage = t.step_func(function(e) {
- assert_equals(e.data.results, 'finish');
- service_worker_unregister_and_done(t, SCOPE);
- });
- frame.contentWindow.postMessage({},
- host_info['HTTP_ORIGIN'],
- [channel.port2]);
- });
- })
- .catch(unreached_rejection(t));
+ .then(function() {
+ return with_iframe(
+ SCOPE + '?' +
+ encodeURIComponent('img-src ' + host_info['HTTP_ORIGIN'] +
+ '; script-src \'unsafe-inline\''));
+ })
+ .then(function(f) {
+ frame = f;
+ return assert_resolves(
+ frame.contentWindow.load_image(IMAGE_URL),
+ 'Allowed scope image resource should be loaded.');
+ })
+ .then(function() {
+ return assert_rejects(
+ frame.contentWindow.load_image(REMOTE_IMAGE_URL),
+ 'Disallowed scope image resource should not be loaded.');
+ })
+ .then(function() {
+ return assert_resolves(
+ frame.contentWindow.load_image(
+ // The request for IMAGE_URL will be fetched in SW.
+ './dummy?url=' + encodeURIComponent(IMAGE_URL)),
+ 'Allowed scope image resource which was fetched via SW should ' +
+ 'be loaded.');
+ })
+ .then(function() {
+ return assert_rejects(
+ frame.contentWindow.load_image(
+ // The request for REMOTE_IMAGE_URL will be fetched in SW.
+ './dummy?mode=no-cors&url=' +
+ encodeURIComponent(REMOTE_IMAGE_URL)),
+ 'Disallowed scope image resource which was fetched via SW ' +
+ 'should not be loaded.');
+ })
+ .then(function() {
+ frame.remove();
+ return with_iframe(
+ SCOPE + '?' +
+ encodeURIComponent(
+ 'img-src ' + REDIRECT_URL +
+ '; script-src \'unsafe-inline\''));
+ })
+ .then(function(f) {
+ frame = f;
+ return assert_resolves(
+ frame.contentWindow.load_image(
+ // Set 'ignore' not to call respondWith() in the SW.
+ REDIRECT_URL + '?ignore&Redirect=' +
+ encodeURIComponent(IMAGE_URL)),
+ 'When the request was redirected, CSP match algorithm should ' +
+ 'ignore the path component of the URL.');
+ })
+ .then(function() {
+ return assert_resolves(
+ frame.contentWindow.load_image(
+ // This request will be fetched via SW and redirected by
+ // redirect.php.
+ REDIRECT_URL + '?Redirect=' + encodeURIComponent(IMAGE_URL)),
+ 'When the request was redirected via SW, CSP match algorithm ' +
+ 'should ignore the path component of the URL.');
+ })
+ .then(function() {
+ return assert_resolves(
+ frame.contentWindow.load_image(
+ // The request for IMAGE_URL will be fetched in SW.
+ REDIRECT_URL + '?url=' + encodeURIComponent(IMAGE_URL)),
+ 'When the request was fetched via SW, CSP match algorithm ' +
+ 'should ignore the path component of the URL.');
+ })
+ .then(function() {
+ frame.remove();
+ service_worker_unregister_and_done(t, SCOPE);
+ });
}, 'Verify CSP control of fetch() in a Service Worker');
</script>

Powered by Google App Engine
This is Rietveld 408576698