-
Notifications
You must be signed in to change notification settings - Fork 6.9k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ServiceWorker: Add WPT to check if CSP sandbox is respected
Bug: 771815 Change-Id: I11dc3cf67e3e40465f612f71fc318fd7061b6581 Reviewed-on: https://chromium-review.googlesource.com/915683 Reviewed-by: Matt Falkenhagen <falken@chromium.org> Commit-Queue: Makoto Shimazu <shimazu@chromium.org> Cr-Commit-Position: refs/heads/master@{#540467}
- Loading branch information
1 parent
a0afd2b
commit 4ffad4c
Showing
5 changed files
with
349 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
32 changes: 32 additions & 0 deletions
32
...ternal/wpt/service-workers/service-worker/sandboxed-iframe-fetch-event.https-expected.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
This is a testharness.js-based test. | ||
PASS Prepare a service worker. | ||
PASS Prepare a normal iframe. | ||
PASS Prepare an iframe sandboxed by <iframe sandbox="allow-scripts">. | ||
PASS Prepare an iframe sandboxed by <iframe sandbox="allow-scripts allow-same-origin">. | ||
FAIL Prepare an iframe sandboxed by CSP HTTP header with allow-scripts. assert_false: Service worker should NOT control the sandboxed page expected false got true | ||
PASS Prepare an iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin. | ||
PASS Fetch request from a normal iframe | ||
PASS Fetch request from a worker in a normal iframe | ||
PASS Request for an iframe in the normal iframe | ||
PASS Request for an sandboxed iframe with allow-scripts flag in the normal iframe | ||
PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the normal iframe | ||
PASS Fetch request from iframe sandboxed by an attribute with allow-scripts flag | ||
PASS Fetch request from a worker in iframe sandboxed by an attribute with allow-scripts flag | ||
PASS Request for an iframe in the iframe sandboxed by an attribute with allow-scripts flag | ||
PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by an attribute with allow-scripts flag | ||
PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by an attribute with allow-scripts flag | ||
PASS Fetch request from iframe sandboxed by an attribute with allow-scripts and allow-same-origin flag | ||
PASS Fetch request from a worker in iframe sandboxed by an attribute with allow-scripts and allow-same-origin flag | ||
PASS Request for an iframe in the iframe sandboxed by an attribute with allow-scripts and allow-same-origin flag | ||
PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by attribute with allow-scripts and allow-same-origin flag | ||
PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by attribute with allow-scripts and allow-same-origin flag | ||
FAIL Fetch request from iframe sandboxed by CSP HTTP header with allow-scripts flag assert_equals: The request should NOT be handled by SW. expected 0 but got 1 | ||
PASS Request for an iframe in the iframe sandboxed by CSP HTTP header with allow-scripts flag | ||
PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by CSP HTTP header with allow-scripts flag | ||
PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by CSP HTTP header with allow-scripts flag | ||
PASS Fetch request from iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag | ||
PASS Request for an iframe in the iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag | ||
PASS Request for an sandboxed iframe with allow-scripts flag in the iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag | ||
PASS Request for an sandboxed iframe with allow-scripts and allow-same-origin flag in the iframe sandboxed by CSP HTTP header with allow-scripts and allow-same-origin flag | ||
Harness: the test ran to completion. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
132 changes: 132 additions & 0 deletions
132
...t/service-workers/service-worker/worker-in-sandboxed-iframe-by-csp-fetch-event.https.html
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,132 @@ | ||
<!DOCTYPE html> | ||
<title>ServiceWorker FetchEvent issued from workers in an iframe sandboxed via CSP HTTP response header.</title> | ||
<script src="/resources/testharness.js"></script> | ||
<script src="/resources/testharnessreport.js"></script> | ||
<script src="resources/test-helpers.sub.js"></script> | ||
<body> | ||
<script> | ||
let lastCallbackId = 0; | ||
let callbacks = {}; | ||
function doTest(frame, type) { | ||
return new Promise(function(resolve) { | ||
var id = ++lastCallbackId; | ||
callbacks[id] = resolve; | ||
frame.contentWindow.postMessage({id: id, type: type}, '*'); | ||
}); | ||
} | ||
|
||
// Asks the service worker for data about requests and clients seen. The | ||
// worker posts a message back with |data| where: | ||
// |data.requests|: the requests the worker received FetchEvents for | ||
// |data.clients|: the URLs of all the worker's clients | ||
// The worker clears its data after responding. | ||
function getResultsFromWorker(worker) { | ||
return new Promise(resolve => { | ||
let channel = new MessageChannel(); | ||
channel.port1.onmessage = msg => { | ||
resolve(msg.data); | ||
}; | ||
worker.postMessage({port: channel.port2}, [channel.port2]); | ||
}); | ||
} | ||
|
||
window.onmessage = function (e) { | ||
message = e.data; | ||
let id = message['id']; | ||
let callback = callbacks[id]; | ||
delete callbacks[id]; | ||
callback(message['result']); | ||
}; | ||
|
||
const SCOPE = 'resources/sandboxed-iframe-fetch-event-iframe.py'; | ||
const SCRIPT = 'resources/sandboxed-iframe-fetch-event-worker.js'; | ||
const expected_base_url = new URL(SCOPE, location.href); | ||
// A service worker controlling |SCOPE|. | ||
let worker; | ||
// An iframe whose response header has | ||
// 'Content-Security-Policy: allow-scripts'. | ||
// This should NOT be controlled by a service worker. | ||
let sandboxed_frame_by_header; | ||
// An iframe whose response header has | ||
// 'Content-Security-Policy: allow-scripts allow-same-origin'. | ||
// This should be controlled by a service worker. | ||
let sandboxed_same_origin_frame_by_header; | ||
|
||
promise_test(t => { | ||
return service_worker_unregister_and_register(t, SCRIPT, SCOPE) | ||
.then(function(registration) { | ||
add_completion_callback(() => registration.unregister()); | ||
worker = registration.installing; | ||
return wait_for_state(t, registration.installing, 'activated'); | ||
}); | ||
}, 'Prepare a service worker.'); | ||
|
||
promise_test(t => { | ||
const iframe_full_url = expected_base_url + '?sandbox=allow-scripts&' + | ||
'sandboxed-frame-by-header'; | ||
return with_iframe(iframe_full_url) | ||
.then(f => { | ||
sandboxed_frame_by_header = f; | ||
add_completion_callback(() => f.remove()); | ||
return getResultsFromWorker(worker); | ||
}) | ||
.then(data => { | ||
let requests = data.requests; | ||
assert_equals(requests.length, 1, | ||
'Service worker should provide the response'); | ||
assert_equals(requests[0], iframe_full_url); | ||
assert_false(data.clients.includes(iframe_full_url), | ||
'Service worker should NOT control the sandboxed page'); | ||
}); | ||
}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts.'); | ||
|
||
promise_test(t => { | ||
const iframe_full_url = | ||
expected_base_url + '?sandbox=allow-scripts%20allow-same-origin&' + | ||
'sandboxed-iframe-same-origin-by-header'; | ||
return with_iframe(iframe_full_url) | ||
.then(f => { | ||
sandboxed_same_origin_frame_by_header = f; | ||
add_completion_callback(() => f.remove()); | ||
return getResultsFromWorker(worker); | ||
}) | ||
.then(data => { | ||
let requests = data.requests; | ||
assert_equals(requests.length, 1); | ||
assert_equals(requests[0], iframe_full_url); | ||
assert_true(data.clients.includes(iframe_full_url)); | ||
}) | ||
}, 'Prepare an iframe sandboxed by CSP HTTP header with allow-scripts and ' + | ||
'allow-same-origin.'); | ||
|
||
promise_test(t => { | ||
let frame = sandboxed_frame_by_header; | ||
return doTest(frame, 'fetch-from-worker') | ||
.then(result => { | ||
assert_equals(result, 'done'); | ||
return getResultsFromWorker(worker); | ||
}) | ||
.then(data => { | ||
assert_equals(data.requests.length, 0, | ||
'The request should NOT be handled by SW.'); | ||
}); | ||
}, 'Fetch request from a worker in iframe sandboxed by CSP HTTP header ' + | ||
'allow-scripts flag'); | ||
|
||
promise_test(t => { | ||
let frame = sandboxed_same_origin_frame_by_header; | ||
return doTest(frame, 'fetch-from-worker') | ||
.then(result => { | ||
assert_equals(result, 'done'); | ||
return getResultsFromWorker(worker); | ||
}) | ||
.then(data => { | ||
let requests = data.requests; | ||
assert_equals(requests.length, 1, | ||
'The request should be handled by SW.'); | ||
assert_equals(requests[0], frame.src + '&test=fetch-from-worker'); | ||
}); | ||
}, 'Fetch request from a worker in iframe sandboxed by CSP HTTP header ' + | ||
'with allow-scripts and allow-same-origin flag'); | ||
</script> | ||
</body> |