[Trusted Types] Worker constructor URLs are TrustedScriptURLs

Make URLs used to construct workers TrustedScriptURLs. Minor rework of how to get the execution context in the generated bindings, because the old method assumed presence of an "impl" object, which is only created at the end in case of constructors. So instead, implement a method with which we can always obtain the execution context from the v8::FunctionCallbackInfo. Bug: 1059684 Change-Id: I00e3e52cad5c3736105289a9fda1eeca15fd6f62 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2105339 Commit-Queue: Daniel Vogelheim <vogelheim@chromium.org> Reviewed-by: Yuki Shiino <yukishiino@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Reviewed-by: Yifan Luo <lyf@chromium.org> Cr-Commit-Position: refs/heads/master@{#755315}
web-platform-tests · Apr 1, 2020 · ee1697d · ee1697d
1 parent 0a71320
commit ee1697d
Showing 1 changed file with 86 additions and 0 deletions.
diff --git a/trusted-types/worker-constructor.https.html b/trusted-types/worker-constructor.https.html
@@ -0,0 +1,86 @@
+<!doctype html>
+<html>
+<head>
+  <meta http-equiv="Content-Security-Policy" content="require-trusted-types-for 'script';">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+</head>
+<body>
+<script>
+
+const test_url = "support/WorkerGlobalScope-importScripts.https.js"
+const trusted_url = trustedTypes.createPolicy("anythinggoes", {
+  createScriptURL: x => x}).createScriptURL(test_url);
+const default_url = "support/WorkerGlobalScope-importScripts.potato.js"
+
+async function service_worker(url) {
+  if (!('serviceWorker' in navigator)) return Promise.resolve();
+
+  const scope = 'support/some/scope/for/this/test';
+  const reg = await navigator.serviceWorker.getRegistration(scope);
+  if (reg) await reg.unregister();
+  return await navigator.serviceWorker.register(url, {scope});
+}
+
+// Most tests below don't need promises, but the ones related to
+// ServiceWorkers do. Since we can't mix promise and non-promise tests,
+// we'll just run the non-promise tests in the main function and return
+// an empty-resolved promise for those.
+// Since an active default policy will affect all subsequent DOM operations,
+// we're wrapping policy creation in a promise_test. Together, this will
+// force proper serialization of all tests.
+//
+// Generally, we don't actually care what the workers here do, we'll merely
+// check whether creation succeeds.
+
+promise_test(t => {
+  new Worker(trusted_url);
+  return Promise.resolve();
+}, "Create Worker via ScriptTestUrl");
+
+promise_test(t => {
+  new SharedWorker(trusted_url);
+  return Promise.resolve();
+}, "Create SharedWorker via ScriptTestUrl");
+
+promise_test(t => {
+  return service_worker(trusted_url);
+}, "Create ServiceWorker via ScriptTestUrl");
+
+promise_test(t => {
+  assert_throws_js(TypeError, () => new Worker(test_url));
+  return Promise.resolve();
+}, "Block Worker creation via string");
+
+promise_test(t => {
+  assert_throws_js(TypeError, () => new SharedWorker(test_url));
+  return Promise.resolve();
+}, "Block SharedWorker creation via string");
+
+promise_test(t => {
+  return promise_rejects_js(t, TypeError, service_worker(test_url));
+}, "Block ServiceWorker creation via String");
+
+// Tests with default policy.
+promise_test(t => {
+  trustedTypes.createPolicy("default", {
+      createScriptURL: s => s.replace("potato", "https") });
+  return Promise.resolve();
+}, "Setup default policy.");
+
+promise_test(t => {
+  new Worker(default_url);
+  return Promise.resolve();
+}, "Create Worker via string with default policy.");
+
+promise_test(t => {
+  new SharedWorker(default_url);
+  return Promise.resolve();
+}, "Create SharedWorker via string with default policy.");
+
+promise_test(t => {
+  return service_worker(default_url);
+}, "Create ServiceWorker via string with default policy.");
+
+</script>
+</body>