commit 56c36a3fc558c1d5a2e69f3ee1c6fe89354a5dd4
author Antonio Sartori <antoniosartori@chromium.org> Tue Sep 21 10:51:20 2021
committer Chromium WPT Sync <blink-w3c-test-autoroller@chromium.org> Tue Sep 21 10:51:20 2021
tree e9bb4a823911a37792a7358e3441f18bc4784aa5
parent 8ba8539b04187563b09666db9a99e7095deb60ac

[CSP] Fix wasm-eval check from workers

For workers, we were not gating wasm instantiation/compilation behind
Content Security Policy. This CL fixes that and adds tests.

Bug: 1248289
Change-Id: Ib2cdb2ba4dd5b5e2d289a5fbe4700521dea9265f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/3152118
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Karan Bhatia <karandeepb@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: David Tseng <dtseng@chromium.org>
Cr-Commit-Position: refs/heads/main@{#923308}

content-security-policy/wasm-eval/script-src-blocks-wasm.any.js

diff --git a/content-security-policy/wasm-eval/script-src-blocks-wasm.any.js b/content-security-policy/wasm-eval/script-src-blocks-wasm.any.js
new file mode 100644
index 0000000..15e9d87
--- /dev/null
+++ b/content-security-policy/wasm-eval/script-src-blocks-wasm.any.js
@@ -0,0 +1,8 @@
+// META: global=window,worker
+
+promise_test(t => {
+  return promise_rejects_js(
+      t, WebAssembly.CompileError,
+      WebAssembly.instantiate(
+          new Uint8Array([0, 0x61, 0x73, 0x6d, 0x1, 0, 0, 0])));
+});

content-security-policy/wasm-eval/script-src-blocks-wasm.any.js.headers

diff --git a/content-security-policy/wasm-eval/script-src-blocks-wasm.any.js.headers b/content-security-policy/wasm-eval/script-src-blocks-wasm.any.js.headers
new file mode 100644
index 0000000..de46ceb
--- /dev/null
+++ b/content-security-policy/wasm-eval/script-src-blocks-wasm.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline'
\ No newline at end of file

content-security-policy/wasm-eval/script-src-unsafe-eval-allows-wasm.any.js

diff --git a/content-security-policy/wasm-eval/script-src-unsafe-eval-allows-wasm.any.js b/content-security-policy/wasm-eval/script-src-unsafe-eval-allows-wasm.any.js
new file mode 100644
index 0000000..68a145c
--- /dev/null
+++ b/content-security-policy/wasm-eval/script-src-unsafe-eval-allows-wasm.any.js
@@ -0,0 +1,6 @@
+// META: global=window,worker
+
+promise_test(t => {
+  return WebAssembly.instantiate(
+      new Uint8Array([0, 0x61, 0x73, 0x6d, 0x1, 0, 0, 0]));
+});

content-security-policy/wasm-eval/script-src-unsafe-eval-allows-wasm.any.js.headers

diff --git a/content-security-policy/wasm-eval/script-src-unsafe-eval-allows-wasm.any.js.headers b/content-security-policy/wasm-eval/script-src-unsafe-eval-allows-wasm.any.js.headers
new file mode 100644
index 0000000..c0ce20d
--- /dev/null
+++ b/content-security-policy/wasm-eval/script-src-unsafe-eval-allows-wasm.any.js.headers
@@ -0,0 +1 @@
+Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval'
\ No newline at end of file