WebKit export of https://bugs.webkit.org/show_bug.cgi?id=234140 (#32003)

service-workers/service-worker/fetch-csp.https.html

@@ -107,6 +107,30 @@
               'When the request was fetched via SW, CSP match algorithm ' +
               'should ignore the path component of the URL.');
         })
+      .then(function() {
+          return assert_resolves(
+              frame.contentWindow.fetch(IMAGE_URL + "&fetch1", { mode: 'no-cors'}),
+              'Allowed scope fetch resource should be loaded.');
+        })
+      .then(function() {
+          return assert_resolves(
+              frame.contentWindow.fetch(
+                  // The request for IMAGE_URL will be fetched in SW.
+                  './sample?url=' + encodeURIComponent(IMAGE_URL + '&fetch2'), { mode: 'no-cors'}),
+              'Allowed scope fetch resource which was fetched via SW should be loaded.');
+        })
+      .then(function() {
+          return assert_rejects(
+              frame.contentWindow.fetch(REMOTE_IMAGE_URL + "&fetch3", { mode: 'no-cors'}),
+              'Disallowed scope fetch resource should not be loaded.');
+        })
+      .then(function() {
+          return assert_rejects(
+              frame.contentWindow.fetch(
+                  // The request for REMOTE_IMAGE_URL will be fetched in SW.
+                  './sample?url=' + encodeURIComponent(REMOTE_IMAGE_URL + '&fetch4'), { mode: 'no-cors'}),
+              'Disallowed scope fetch resource which was fetched via SW should not be loaded.');
+        })
       .then(function() {
           frame.remove();
         });

service-workers/service-worker/resources/fetch-csp-iframe.html.sub.headers

@@ -1 +1 @@
-Content-Security-Policy: img-src https://{{host}}:{{ports[https][0]}}
+Content-Security-Policy: img-src https://{{host}}:{{ports[https][0]}}; connect-src 'unsafe-inline' 'self'