Google Git
Sign in
chromium / external / w3c / web-platform-tests / refs/tags/epochs/three_hourly/2021-01-28_15H^! / .
commit9ff620bc1109a3f7f8c9acca76726f9da783bb63[log] [tgz]
authorAntonio Sartori <antoniosartori@chromium.org>Thu Jan 28 11:52:54 2021
committerBlink WPT Bot <blink-w3c-test-autoroller@chromium.org>Thu Jan 28 12:10:04 2021
treebce55c24cb026517ab0c6530766b1b2e62a5a44f
parent9c4b78680260532467b053e6bd0fd506251c4fdb [diff]
CSP: Use parsed policies for initializing Workers/Worklets

Workers/Worklet need to take into account Content Security Policies,
which are sometimes inherited by the creating document and sometimes
parsed from the HTTP headers directly. At the moment, we are storing
and sending around the raw CSP policies. For example, when a Worker
inherits the CSPs from the creating document, we send the raw strings,
which were just parsed in the document, to the Worker, where they are
parsed a second time.

Not only this multiple parsing of the same policy is superfluous and
can be avoided. It can also create inconsistencies (see the failing WP
test content-security-policy/sandbox/meta-element.sub.html)

This change replaces the raw policies with the parsed CSP types,
avoids multiple parsing, and fixes that test.

Bug: 1021462,1149272
Change-Id: Ib431253419226d6642a086923620b3aba34feb43
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2636314
Commit-Queue: Antonio Sartori <antoniosartori@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#848069}

diff --git a/content-security-policy/script-src/worker-data-set-timeout.sub.html b/content-security-policy/script-src/worker-data-set-timeout.sub.html
new file mode 100644
index 0000000..ac4b608
--- /dev/null
+++ b/content-security-policy/script-src/worker-data-set-timeout.sub.html

@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- We add two CSP entries on purpose. The first one does nothing
+    for the purpose of this test, but we want to check that both are
+    inherited -->
+    <meta http-equiv="Content-Security-Policy" content="object-src: 'none'">
+    <meta http-equiv="Content-Security-Policy" content="script-src data: 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>worker-data-set-timeout</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/testharness-helper.js'></script>
+</head>
+
+<body>
+    <script>
+      fetch('./support/worker-with-script-src-none-set-timeout.js')
+       .then(data => data.text())
+       .then(
+           text => assert_shared_worker_is_loaded(
+               `data:text/javascript,${text}`,
+               "Shared worker with data: url inherits CSP",
+               "setTimeout blocked"));
+    </script>
+</body>
+
+</html>