web-bundle/subresource-loading/script-csp-allowed.https.tentative.html

<!DOCTYPE html>
<title>CSP for subresource WebBundle (allowed cases)</title>
<link
  rel="help"
  href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md"
/>
<meta
  http-equiv="Content-Security-Policy"
  content="
    script-src
      https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn
      https://web-platform.test:8444/resources/testharness.js
      https://web-platform.test:8444/resources/testharnessreport.js
      'unsafe-inline';
    img-src
      https://web-platform.test:8444/web-bundle/resources/wbn/pass.png;
    frame-src
      https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn"
/>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<body>
  <script type="webbundle">
    {
      "source": "../resources/wbn/subresource.wbn",
      "resources": ["https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"]
    }
  </script>
  <script type="webbundle">
    {
      "source": "../resources/wbn/uuid-in-package.wbn",
      "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720",
                    "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae"
      ]
    }
  </script>
  <script>
    promise_test(() => {
      return new Promise((resolve, reject) => {
        const img = document.createElement("img");
        img.src =
          "https://web-platform.test:8444/web-bundle/resources/wbn/pass.png";
        img.onload = resolve;
        img.onerror = reject;
        document.body.appendChild(img);
      });
    }, "URL matching of CSP should be done based on the subresource URL " +
       "when the subresource URL is HTTPS URL.");

    promise_test(async () => {
      const result = await new Promise((resolve) => {
        // This function will be called from the script.
        window.report_result = resolve;
        const script = document.createElement("script");
        script.src = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720";
        document.body.appendChild(script);
      });
      assert_equals(result, "OK");
    }, "URL matching of script-src CSP should be done based on the bundle URL " +
       "when the subresource URL is uuid-in-package: URL.");

    promise_test(async () => {
      const frame_url = "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae";
      const iframe = document.createElement("iframe");
      iframe.src = frame_url;
      const load_promise = new Promise((resolve) => {
        iframe.addEventListener("load", resolve);
      });
      document.body.appendChild(iframe);
      await load_promise;
      assert_equals(await evalInIframe(iframe, "location.href"), frame_url);
    }, "URL matching of frame-src CSP should be done based on the bundle URL " +
       "when the frame URL is uuid-in-package: URL.");

    async function evalInIframe(iframe, code) {
      const message_promise = new Promise((resolve) => {
        window.addEventListener(
          "message",
          (e) => {
            resolve(e.data);
          },
          { once: true }
        );
      });
      iframe.contentWindow.postMessage(code, "*");
      return message_promise;
    }
  </script>
</body>