| <!DOCTYPE html> |
| <title>CSP for subresource WebBundle (allowed cases)</title> |
| <link |
| rel="help" |
| href="https://github.com/WICG/webpackage/blob/main/explainers/subresource-loading.md" |
| /> |
| <meta |
| http-equiv="Content-Security-Policy" |
| content=" |
| script-src |
| https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn |
| https://web-platform.test:8444/resources/testharness.js |
| https://web-platform.test:8444/resources/testharnessreport.js |
| 'unsafe-inline'; |
| img-src |
| https://web-platform.test:8444/web-bundle/resources/wbn/pass.png; |
| frame-src |
| https://web-platform.test:8444/web-bundle/resources/wbn/uuid-in-package.wbn" |
| /> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <body> |
| <script type="webbundle"> |
| { |
| "source": "../resources/wbn/subresource.wbn", |
| "resources": ["https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"] |
| } |
| </script> |
| <script type="webbundle"> |
| { |
| "source": "../resources/wbn/uuid-in-package.wbn", |
| "resources": ["uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720", |
| "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae" |
| ] |
| } |
| </script> |
| <script> |
| promise_test(() => { |
| return new Promise((resolve, reject) => { |
| const img = document.createElement("img"); |
| img.src = |
| "https://web-platform.test:8444/web-bundle/resources/wbn/pass.png"; |
| img.onload = resolve; |
| img.onerror = reject; |
| document.body.appendChild(img); |
| }); |
| }, "URL matching of CSP should be done based on the subresource URL " + |
| "when the subresource URL is HTTPS URL."); |
| |
| promise_test(async () => { |
| const result = await new Promise((resolve) => { |
| // This function will be called from the script. |
| window.report_result = resolve; |
| const script = document.createElement("script"); |
| script.src = "uuid-in-package:020111b3-437a-4c5c-ae07-adb6bbffb720"; |
| document.body.appendChild(script); |
| }); |
| assert_equals(result, "OK"); |
| }, "URL matching of script-src CSP should be done based on the bundle URL " + |
| "when the subresource URL is uuid-in-package: URL."); |
| |
| promise_test(async () => { |
| const frame_url = "uuid-in-package:429fcc4e-0696-4bad-b099-ee9175f023ae"; |
| const iframe = document.createElement("iframe"); |
| iframe.src = frame_url; |
| const load_promise = new Promise((resolve) => { |
| iframe.addEventListener("load", resolve); |
| }); |
| document.body.appendChild(iframe); |
| await load_promise; |
| assert_equals(await evalInIframe(iframe, "location.href"), frame_url); |
| }, "URL matching of frame-src CSP should be done based on the bundle URL " + |
| "when the frame URL is uuid-in-package: URL."); |
| |
| async function evalInIframe(iframe, code) { |
| const message_promise = new Promise((resolve) => { |
| window.addEventListener( |
| "message", |
| (e) => { |
| resolve(e.data); |
| }, |
| { once: true } |
| ); |
| }); |
| iframe.contentWindow.postMessage(code, "*"); |
| return message_promise; |
| } |
| </script> |
| </body> |