web-bundle/subresource-loading/csp-allowed.https.tentative.html - external/w3c/web-platform-tests - Git at Google

 <!DOCTYPE html>
 <title>CSP for subresource WebBundle (allowed cases)</title>
 <link
   rel="help"
   href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
 />
 <meta
   http-equiv="Content-Security-Policy"
   content="
     script-src
       https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn
       https://web-platform.test:8444/resources/testharness.js
       https://web-platform.test:8444/resources/testharnessreport.js
       'unsafe-inline';
     img-src
       https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"
 />
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <body>
   <script type="webbundle">
     {
       "source": "../resources/wbn/subresource.wbn",
       "resources": ["https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"]
     }
   </script>
   <script type="webbundle">
     {
       "source": "../resources/wbn/uuid-in-package.wbn",
       "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"
       ]
     }
   </script>
   <script>
     promise_test(() => {
       return new Promise((resolve, reject) => {
         const img = document.createElement("img");
         img.src =
           "https://web-platform.test:8444/web-bundle/resources/wbn/pass.png";
         img.onload = resolve;
         img.onerror = reject;
         document.body.appendChild(img);
       });
     }, "URL matching of CSP should be done based on the subresource URL " +
        "when the subresource URL is HTTPS URL.");

     promise_test(async () => {
       const result = await new Promise((resolve) => {
         // This function will be called from the script.
         window.report_result = resolve;
         const script = document.createElement("script");
         script.src = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720";
         document.body.appendChild(script);
       });
       assert_equals(result, "OK");
     }, "URL matching of script-src CSP should be done based on the bundle URL " +
        "when the subresource URL is uuid-in-package: URL.");

   </script>
 </body>
	<!DOCTYPE html>
	<title>CSP for subresource WebBundle (allowed cases)</title>
	<link
	rel="help"
	href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
	/>
	<meta
	http-equiv="Content-Security-Policy"
	content="
	script-src
	https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn
	https://web-platform.test:8444/resources/testharness.js
	https://web-platform.test:8444/resources/testharnessreport.js
	'unsafe-inline';
	img-src
	https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"
	/>
	<script src="/resources/testharness.js"></script>
	<script src="/resources/testharnessreport.js"></script>
	<body>
	<script type="webbundle">
	{
	"source": "../resources/wbn/subresource.wbn",
	"resources": ["https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"]
	}
	</script>
	<script type="webbundle">
	{
	"source": "../resources/wbn/uuid-in-package.wbn",
	"resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"
	]
	}
	</script>
	<script>
	promise_test(() => {
	return new Promise((resolve, reject) => {
	const img = document.createElement("img");
	img.src =
	"https://web-platform.test:8444/web-bundle/resources/wbn/pass.png";
	img.onload = resolve;
	img.onerror = reject;
	document.body.appendChild(img);
	});
	}, "URL matching of CSP should be done based on the subresource URL " +
	"when the subresource URL is HTTPS URL.");

	promise_test(async () => {
	const result = await new Promise((resolve) => {
	// This function will be called from the script.
	window.report_result = resolve;
	const script = document.createElement("script");
	script.src = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720";
	document.body.appendChild(script);
	});
	assert_equals(result, "OK");
	}, "URL matching of script-src CSP should be done based on the bundle URL " +
	"when the subresource URL is uuid-in-package: URL.");

	</script>
	</body>