ServiceWorker: Add WPT to check if CSP sandbox is respected

Bug: 771815
Change-Id: I11dc3cf67e3e40465f612f71fc318fd7061b6581
Reviewed-on: https://chromium-review.googlesource.com/915683
Reviewed-by: Matt Falkenhagen <falken@chromium.org>
Commit-Queue: Makoto Shimazu <shimazu@chromium.org>
Cr-Commit-Position: refs/heads/master@{#540467}

third_party/WebKit/LayoutTests/TestExpectations

@@ -624,6 +624,7 @@ crbug.com/626703 virtual/outofblink-cors/external/wpt/fetch/api/response/respons
 crbug.com/626703 virtual/outofblink-cors/external/wpt/fetch/http-cache/status.html [ Pass Timeout ]
 crbug.com/736308 virtual/outofblink-cors/external/wpt/service-workers/service-worker/foreign-fetch-basics.https.html [ Timeout ]
 crbug.com/736308 virtual/outofblink-cors/external/wpt/service-workers/service-worker/sandboxed-iframe-fetch-event.https.html [ Timeout ]
+crbug.com/736308 virtual/outofblink-cors/external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html [ Timeout ]
 
 # Failing tests in dictionary order.
 crbug.com/736308 virtual/outofblink-cors/external/wpt/service-workers/service-worker/fetch-canvas-tainting-image-cache.https.html [ Failure ]
@@ -3260,6 +3261,9 @@ crbug.com/783154 [ Mac ] virtual/modern-media-controls/media/controls/modern/dou
 
 crbug.com/802915 css3/blending/isolation-should-include-non-local-background.html [ Failure ]
 
+crbug.com/807838 external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html [ Crash ]
+crbug.com/807838 virtual/navigation-mojo-response/external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html [ Crash ]
+
 # Sheriff faulures 2017-12-12
 crbug.com/794180 http/tests/devtools/layers/layer-compositing-reasons.js [ Failure Pass ]
 

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/resources/sandboxed-iframe-fetch-event-iframe.py

@@ -7,6 +7,9 @@ def main(request, response):
       body = f.read()
     return (header, body)
 
+  if 'sandbox' in request.GET:
+    header.append(('Content-Security-Policy',
+                   'sandbox %s' % request.GET['sandbox']))
   with open(os.path.join(os.path.dirname(__file__),
                          'sandboxed-iframe-fetch-event-iframe.html'), 'r') as f:
     body = f.read()

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/sandboxed-iframe-fetch-event.https-expected.txt

@@ -0,0 +1,32 @@
+This is a testharness.js-based test.
+PASS Prepare a service worker.
+PASS Prepare a normal iframe.
+PASS Prepare an iframe sandboxed by <iframe sandbox="allow-scripts">.
+PASS Prepare an iframe sandboxed by <iframe sandbox="allow-scripts allow-same-origin">.
+FAIL Prepare an iframe sandboxed by CSP HTTP header with allow-scripts. assert_false: Service worker should NOT control the sandboxed page expected false got true
+PASS Prepare an iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin.
+PASS Fetch request from a normal iframe
+PASS Fetch request from a worker in a normal iframe
+PASS Request for an iframe in the normal iframe
+PASS Request for an sandboxed iframe with allow-scripts flag in the normal iframe
+PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the normal iframe
+PASS Fetch request from iframe sandboxed by an attribute with allow-scripts flag
+PASS Fetch request from a worker in iframe sandboxed by an attribute with allow-scripts flag
+PASS Request for an iframe in the iframe sandboxed by an attribute with allow-scripts flag
+PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by an attribute with allow-scripts flag
+PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by an attribute with allow-scripts flag
+PASS Fetch request from iframe sandboxed by an attribute with allow-scripts and allow-same-origin flag
+PASS Fetch request from a worker in iframe sandboxed by an attribute with allow-scripts and allow-same-origin flag
+PASS Request for an iframe in the iframe sandboxed by an attribute with allow-scripts and allow-same-origin flag
+PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by attribute with allow-scripts and allow-same-origin flag
+PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by attribute with allow-scripts and allow-same-origin flag
+FAIL Fetch request from iframe sandboxed by CSP HTTP header with allow-scripts flag assert_equals: The request should NOT be handled by SW. expected 0 but got 1
+PASS Request for an iframe in the iframe sandboxed by CSP HTTP header with allow-scripts flag
+PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by CSP HTTP header with allow-scripts flag
+PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by CSP HTTP header with allow-scripts flag
+PASS Fetch request from iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag
+PASS Request for an iframe in the iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag
+PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag
+PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag
+Harness: the test ran to completion.
+

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/sandboxed-iframe-fetch-event.https.html

@@ -52,6 +52,14 @@
 // An iframe created by <iframe sandbox='allow-scripts allow-same-origin'>.
 // This should be controlled by a service worker.
 let sandboxed_same_origin_frame;
+// An iframe whose response header has
+// 'Content-Security-Policy: allow-scripts'.
+// This should NOT be controlled by a service worker.
+let sandboxed_frame_by_header;
+// An iframe whose response header has
+// 'Content-Security-Policy: allow-scripts allow-same-origin'.
+// This should be controlled by a service worker.
+let sandboxed_same_origin_frame_by_header;
 
 promise_test(t => {
   return service_worker_unregister_and_register(t, SCRIPT, SCOPE)
@@ -110,6 +118,44 @@
 }, 'Prepare an iframe sandboxed by ' +
    '<iframe sandbox="allow-scripts allow-same-origin">.');
 
+promise_test(t => {
+  const iframe_full_url = expected_base_url + '?sandbox=allow-scripts&' +
+                          'sandboxed-frame-by-header';
+  return with_iframe(iframe_full_url)
+    .then(f => {
+      sandboxed_frame_by_header = f;
+      add_completion_callback(() => f.remove());
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      let requests = data.requests;
+      assert_equals(requests.length, 1,
+                    'Service worker should provide the response');
+      assert_equals(requests[0], iframe_full_url);
+      assert_false(data.clients.includes(iframe_full_url),
+                   'Service worker should NOT control the sandboxed page');
+    });
+}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts.');
+
+promise_test(t => {
+  const iframe_full_url =
+    expected_base_url + '?sandbox=allow-scripts%20allow-same-origin&' +
+    'sandboxed-iframe-same-origin-by-header';
+  return with_iframe(iframe_full_url)
+    .then(f => {
+      sandboxed_same_origin_frame_by_header = f;
+      add_completion_callback(() => f.remove());
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      let requests = data.requests;
+      assert_equals(requests.length, 1);
+      assert_equals(requests[0], iframe_full_url);
+      assert_true(data.clients.includes(iframe_full_url));
+    })
+}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts and ' +
+   'allow-same-origin.');
+
 promise_test(t => {
   let frame = normal_frame;
   return doTest(frame, 'fetch')
@@ -353,5 +399,137 @@
 }, 'Request for an sandboxed iframe with allow-scripts and ' +
    'allow-same-origin flag in the iframe sandboxed by attribute with ' +
    'allow-scripts and allow-same-origin flag');
+
+promise_test(t => {
+  let frame = sandboxed_frame_by_header;
+  return doTest(frame, 'fetch')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      assert_equals(data.requests.length, 0,
+                    'The request should NOT be handled by SW.');
+    });
+}, 'Fetch request from iframe sandboxed by CSP HTTP header with ' +
+   'allow-scripts flag');
+
+promise_test(t => {
+  let frame = sandboxed_frame_by_header;
+  return doTest(frame, 'iframe')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      assert_equals(data.requests.length, 0,
+                    'The request should NOT be handled by SW.');
+      assert_false(data.clients.includes(frame.src + '&test=iframe'));
+    });
+}, 'Request for an iframe in the iframe sandboxed by CSP HTTP header with ' +
+   'allow-scripts flag');
+
+promise_test(t => {
+  let frame = sandboxed_frame_by_header;
+  return doTest(frame, 'sandboxed-iframe')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      assert_equals(data.requests.length, 0,
+                    'The request should NOT be handled by SW.');
+      assert_false(data.clients.includes(
+        frame.src + '&test=sandboxed-iframe'));
+    });
+}, 'Request for an sandboxed iframe with allow-scripts flag in the iframe ' +
+   'sandboxed by CSP HTTP header with allow-scripts flag');
+
+promise_test(t => {
+  let frame = sandboxed_frame_by_header;
+  return doTest(frame, 'sandboxed-iframe-same-origin')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      assert_equals(data.requests.length, 0,
+                    'The request should NOT be handled by SW.');
+      assert_false(data.clients.includes(
+        frame.src + '&test=sandboxed-iframe-same-origin'));
+    });
+}, 'Request for an sandboxed iframe with allow-scripts and ' +
+   'allow-same-origin flag in the iframe sandboxed by CSP HTTP header with ' +
+   'allow-scripts flag');
+
+promise_test(t => {
+  let frame = sandboxed_same_origin_frame_by_header;
+  return doTest(frame, 'fetch')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      let requests = data.requests;
+      assert_equals(requests.length, 1,
+                    'The request should be handled by SW.');
+      assert_equals(requests[0], frame.src + '&test=fetch');
+    });
+}, 'Fetch request from iframe sandboxed by CSP HTTP header with ' +
+   'allow-scripts and allow-same-origin flag');
+
+promise_test(t => {
+  let frame = sandboxed_same_origin_frame_by_header;
+  return doTest(frame, 'iframe')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      let requests = data.requests;
+      assert_equals(requests.length, 1,
+                    'The request should be handled by SW.');
+      assert_equals(requests[0], frame.src + '&test=iframe');
+      assert_true(data.clients.includes(frame.src + '&test=iframe'));
+    });
+}, 'Request for an iframe in the iframe sandboxed by CSP HTTP header with ' +
+   'allow-scripts and allow-same-origin flag');
+
+promise_test(t => {
+  let frame = sandboxed_same_origin_frame_by_header;
+  return doTest(frame, 'sandboxed-iframe')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      assert_equals(data.requests.length, 0,
+                    'The request should NOT be handled by SW.');
+      assert_false(
+        data.clients.includes(frame.src + '&test=sandboxed-iframe'));
+    });
+}, 'Request for an sandboxed iframe with allow-scripts flag in the ' +
+   'iframe sandboxed by CSP HTTP header with allow-scripts and ' +
+   'allow-same-origin flag');
+
+promise_test(t => {
+  let frame = sandboxed_same_origin_frame_by_header;
+  return doTest(frame, 'sandboxed-iframe-same-origin')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      let requests = data.requests;
+      assert_equals(requests.length, 1,
+                    'The request should be handled by SW.');
+      assert_equals(requests[0],
+                    frame.src + '&test=sandboxed-iframe-same-origin');
+      assert_true(data.clients.includes(
+        frame.src + '&test=sandboxed-iframe-same-origin'));
+    });
+}, 'Request for an sandboxed iframe with allow-scripts and ' +
+   'allow-same-origin flag in the iframe sandboxed by CSP HTTP header with ' +
+   'allow-scripts and allow-same-origin flag');
 </script>
 </body>

third_party/WebKit/LayoutTests/external/wpt/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html

@@ -0,0 +1,132 @@
+<!DOCTYPE html>
+<title>ServiceWorker FetchEvent issued from workers in an iframe sandboxed via CSP HTTP response header.</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="resources/test-helpers.sub.js"></script>
+<body>
+<script>
+let lastCallbackId = 0;
+let callbacks = {};
+function doTest(frame, type) {
+  return new Promise(function(resolve) {
+    var id = ++lastCallbackId;
+    callbacks[id] = resolve;
+    frame.contentWindow.postMessage({id: id, type: type}, '*');
+  });
+}
+
+// Asks the service worker for data about requests and clients seen. The
+// worker posts a message back with |data| where:
+// |data.requests|: the requests the worker received FetchEvents for
+// |data.clients|: the URLs of all the worker's clients
+// The worker clears its data after responding.
+function getResultsFromWorker(worker) {
+  return new Promise(resolve => {
+    let channel = new MessageChannel();
+    channel.port1.onmessage = msg => {
+      resolve(msg.data);
+    };
+    worker.postMessage({port: channel.port2}, [channel.port2]);
+  });
+}
+
+window.onmessage = function (e) {
+  message = e.data;
+  let id = message['id'];
+  let callback = callbacks[id];
+  delete callbacks[id];
+  callback(message['result']);
+};
+
+const SCOPE = 'resources/sandboxed-iframe-fetch-event-iframe.py';
+const SCRIPT = 'resources/sandboxed-iframe-fetch-event-worker.js';
+const expected_base_url = new URL(SCOPE, location.href);
+// A service worker controlling |SCOPE|.
+let worker;
+// An iframe whose response header has
+// 'Content-Security-Policy: allow-scripts'.
+// This should NOT be controlled by a service worker.
+let sandboxed_frame_by_header;
+// An iframe whose response header has
+// 'Content-Security-Policy: allow-scripts allow-same-origin'.
+// This should be controlled by a service worker.
+let sandboxed_same_origin_frame_by_header;
+
+promise_test(t => {
+  return service_worker_unregister_and_register(t, SCRIPT, SCOPE)
+    .then(function(registration) {
+      add_completion_callback(() => registration.unregister());
+      worker = registration.installing;
+      return wait_for_state(t, registration.installing, 'activated');
+    });
+}, 'Prepare a service worker.');
+
+promise_test(t => {
+  const iframe_full_url = expected_base_url + '?sandbox=allow-scripts&' +
+                          'sandboxed-frame-by-header';
+  return with_iframe(iframe_full_url)
+    .then(f => {
+      sandboxed_frame_by_header = f;
+      add_completion_callback(() => f.remove());
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      let requests = data.requests;
+      assert_equals(requests.length, 1,
+                    'Service worker should provide the response');
+      assert_equals(requests[0], iframe_full_url);
+      assert_false(data.clients.includes(iframe_full_url),
+                   'Service worker should NOT control the sandboxed page');
+    });
+}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts.');
+
+promise_test(t => {
+  const iframe_full_url =
+    expected_base_url + '?sandbox=allow-scripts%20allow-same-origin&' +
+    'sandboxed-iframe-same-origin-by-header';
+  return with_iframe(iframe_full_url)
+    .then(f => {
+      sandboxed_same_origin_frame_by_header = f;
+      add_completion_callback(() => f.remove());
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      let requests = data.requests;
+      assert_equals(requests.length, 1);
+      assert_equals(requests[0], iframe_full_url);
+      assert_true(data.clients.includes(iframe_full_url));
+    })
+}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts and ' +
+   'allow-same-origin.');
+
+promise_test(t => {
+  let frame = sandboxed_frame_by_header;
+  return doTest(frame, 'fetch-from-worker')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      assert_equals(data.requests.length, 0,
+                    'The request should NOT be handled by SW.');
+    });
+}, 'Fetch request from a worker in iframe sandboxed by CSP HTTP header ' +
+   'allow-scripts flag');
+
+promise_test(t => {
+  let frame = sandboxed_same_origin_frame_by_header;
+  return doTest(frame, 'fetch-from-worker')
+    .then(result => {
+      assert_equals(result, 'done');
+      return getResultsFromWorker(worker);
+    })
+    .then(data => {
+      let requests = data.requests;
+      assert_equals(requests.length, 1,
+                    'The request should be handled by SW.');
+      assert_equals(requests[0], frame.src + '&test=fetch-from-worker');
+    });
+}, 'Fetch request from a worker in iframe sandboxed by CSP HTTP header ' +
+   'with allow-scripts and allow-same-origin flag');
+</script>
+</body>