web-bundle/subresource-loading/link-csp-allowed.https.tentative.html - external/github.com/web-platform-tests/wpt - Git at Google

 <!DOCTYPE html>
 <title>CSP for subresource WebBundle (allowed cases)</title>
 <link
   rel="help"
   href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
 />
 <meta
   http-equiv="Content-Security-Policy"
   content="
     script-src
       https://web-platform.test:8444/web-bundle/resources/wbn/urn-uuid.wbn
       https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn
       https://web-platform.test:8444/resources/testharness.js
       https://web-platform.test:8444/resources/testharnessreport.js
       'unsafe-inline';
     img-src
       https://web-platform.test:8444/web-bundle/resources/wbn/pass.png;
     frame-src
       https://web-platform.test:8444/web-bundle/resources/wbn/urn-uuid.wbn
       https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn"
 >
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <body>
 <link rel="webbundle" href="../resources/wbn/subresource.wbn"
       resources="https://web-platform.test:8444/web-bundle/resources/wbn/pass.png" />
 <link rel="webbundle" href="../resources/wbn/urn-uuid.wbn"
       resources="urn:uuid:020111b3-437a-4c5c-ae07-adb6bbffb720
                  urn:uuid:429fcc4e-0696-4bad-b099-ee9175f023ae" />
 <link rel="webbundle" href="../resources/wbn/uuid-in-package.wbn"
       resources="uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720
                  uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae" />
 <script>
   promise_test(() => {
     return new Promise((resolve, reject) => {
       const img = document.createElement('img');
       img.src = 'https://web-platform.test:8444/web-bundle/resources/wbn/pass.png';
       img.onload = resolve;
       img.onerror = reject;
       document.body.appendChild(img);
     });
   }, 'URL matching of CSP should be done based on the subresource URL ' +
      'when the subresource URL is HTTPS URL.');

   promise_test(async () => {
     const result = await new Promise((resolve) => {
       // This function will be called from the script.
       window.report_result = resolve;
       const script = document.createElement('script');
       script.src = 'urn:uuid:020111b3-437a-4c5c-ae07-adb6bbffb720';
       document.body.appendChild(script);
     });
     assert_equals(result, 'OK');
   }, 'URL matching of script-src CSP should be done based on the bundle URL ' +
      'when the subresource URL is urn:uuid URL.');

   promise_test(async () => {
     const result = await new Promise((resolve) => {
       // This function will be called from the script.
       window.report_result = resolve;
       const script = document.createElement('script');
       script.src = 'uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720';
       document.body.appendChild(script);
     });
     assert_equals(result, 'OK');
   }, 'URL matching of script-src CSP should be done based on the bundle URL ' +
      'when the subresource URL is uuid-in-package: URL.');

   promise_test(async () => {
     const frame_url = 'urn:uuid:429fcc4e-0696-4bad-b099-ee9175f023ae';
     const iframe = document.createElement('iframe');
     iframe.src = frame_url;
     const load_promise = new Promise((resolve) => {
       iframe.addEventListener('load', resolve);
     });
     document.body.appendChild(iframe);
     await load_promise;
     assert_equals(
         await evalInIframe(iframe, 'location.href'),
         frame_url);
   }, 'URL matching of frame-src CSP should be done based on the bundle URL ' +
      'when the frame URL is urn:uuid URL.');

   promise_test(async () => {
     const frame_url = 'uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae';
     const iframe = document.createElement('iframe');
     iframe.src = frame_url;
     const load_promise = new Promise((resolve) => {
       iframe.addEventListener('load', resolve);
     });
     document.body.appendChild(iframe);
     await load_promise;
     assert_equals(
         await evalInIframe(iframe, 'location.href'),
         frame_url);
   }, 'URL matching of frame-src CSP should be done based on the bundle URL ' +
      'when the frame URL is uuid-in-package: URL.');

   async function evalInIframe(iframe, code) {
     const message_promise = new Promise((resolve) => {
         window.addEventListener(
             'message',
             (e) => { resolve(e.data); },
             { once : true });
       });
     iframe.contentWindow.postMessage(code,'*');
     return message_promise;
   }
 </script>
 </body>
	<!DOCTYPE html>
	<title>CSP for subresource WebBundle (allowed cases)</title>
	<link
	rel="help"
	href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
	/>
	<meta
	http-equiv="Content-Security-Policy"
	content="
	script-src
	https://web-platform.test:8444/web-bundle/resources/wbn/urn-uuid.wbn
	https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn
	https://web-platform.test:8444/resources/testharness.js
	https://web-platform.test:8444/resources/testharnessreport.js
	'unsafe-inline';
	img-src
	https://web-platform.test:8444/web-bundle/resources/wbn/pass.png;
	frame-src
	https://web-platform.test:8444/web-bundle/resources/wbn/urn-uuid.wbn
	https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn"
	>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<body>
	<link rel="webbundle" href="../resources/wbn/subresource.wbn"
	resources="https://web-platform.test:8444/web-bundle/resources/wbn/pass.png" />
	<link rel="webbundle" href="../resources/wbn/urn-uuid.wbn"
	resources="urn:uuid:020111b3-437a-4c5c-ae07-adb6bbffb720
	urn:uuid:429fcc4e-0696-4bad-b099-ee9175f023ae" />
	<link rel="webbundle" href="../resources/wbn/uuid-in-package.wbn"
	resources="uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720
	uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae" />
	<script>
	promise_test(() => {
	return new Promise((resolve, reject) => {
	const img = document.createElement('img');
	img.src = 'https://web-platform.test:8444/web-bundle/resources/wbn/pass.png';
	img.onload = resolve;
	img.onerror = reject;
	document.body.appendChild(img);
	});
	}, 'URL matching of CSP should be done based on the subresource URL ' +
	'when the subresource URL is HTTPS URL.');

	promise_test(async () => {
	const result = await new Promise((resolve) => {
	// This function will be called from the script.
	window.report_result = resolve;
	const script = document.createElement('script');
	script.src = 'urn:uuid:020111b3-437a-4c5c-ae07-adb6bbffb720';
	document.body.appendChild(script);
	});
	assert_equals(result, 'OK');
	}, 'URL matching of script-src CSP should be done based on the bundle URL ' +
	'when the subresource URL is urn:uuid URL.');

	promise_test(async () => {
	const result = await new Promise((resolve) => {
	// This function will be called from the script.
	window.report_result = resolve;
	const script = document.createElement('script');
	script.src = 'uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720';
	document.body.appendChild(script);
	});
	assert_equals(result, 'OK');
	}, 'URL matching of script-src CSP should be done based on the bundle URL ' +
	'when the subresource URL is uuid-in-package: URL.');

	promise_test(async () => {
	const frame_url = 'urn:uuid:429fcc4e-0696-4bad-b099-ee9175f023ae';
	const iframe = document.createElement('iframe');
	iframe.src = frame_url;
	const load_promise = new Promise((resolve) => {
	iframe.addEventListener('load', resolve);
	});
	document.body.appendChild(iframe);
	await load_promise;
	assert_equals(
	await evalInIframe(iframe, 'location.href'),
	frame_url);
	}, 'URL matching of frame-src CSP should be done based on the bundle URL ' +
	'when the frame URL is urn:uuid URL.');

	promise_test(async () => {
	const frame_url = 'uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae';
	const iframe = document.createElement('iframe');
	iframe.src = frame_url;
	const load_promise = new Promise((resolve) => {
	iframe.addEventListener('load', resolve);
	});
	document.body.appendChild(iframe);
	await load_promise;
	assert_equals(
	await evalInIframe(iframe, 'location.href'),
	frame_url);
	}, 'URL matching of frame-src CSP should be done based on the bundle URL ' +
	'when the frame URL is uuid-in-package: URL.');

	async function evalInIframe(iframe, code) {
	const message_promise = new Promise((resolve) => {
	window.addEventListener(
	'message',
	(e) => { resolve(e.data); },
	{ once : true });
	});
	iframe.contentWindow.postMessage(code,'*');
	return message_promise;
	}
	</script>
	</body>