mirror of
https://github.com/servo/servo.git
synced 2025-08-12 17:05:33 +01:00
Inherit CSP for blob workers (#38033)
Workers created from Blobs inherit their CSP. Now we inherit the CSP and set the correct base API url. The base API url should be used when determining the report-uri endpoint. Otherwise, the blob URL would be used as a base, which is invalid and the report wouldn't be sent. Also create a helper method to concatenate two optionals of CSPList, which was used in several places. Part of #4577 Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
This commit is contained in:
Tim van der Lippe
GitHub
parent
439cb00e31
commit
18d1a62add
27 changed files with 116 additions and 236 deletions
4
tests/wpt/meta/MANIFEST.json
vendored
4
tests/wpt/meta/MANIFEST.json
vendored
|
|
@ -911260,7 +911260,7 @@
|
|||
]
|
||||
],
|
||||
"dedicated-worker-from-blob-url.window.js": [
|
||||
"8455285571a357a5e6c46a38dcf465f7bd432b55",
|
||||
"61a1c06c246a274b642aae4c56974ef15ae4f5fe",
|
||||
[
|
||||
"workers/dedicated-worker-from-blob-url.window.html",
|
||||
{}
|
||||
|
|
@ -912969,7 +912969,7 @@
|
|||
}
|
||||
},
|
||||
"shared-worker-from-blob-url.window.js": [
|
||||
"98e34cc3a69a17f31cf5b890744e5f9ca52559b5",
|
||||
"a479767df39f2b91658b543d9f820d9d802143c9",
|
||||
[
|
||||
"workers/shared-worker-from-blob-url.window.html",
|
||||
{}
|
||||
|
|
|
|||
|
|
@ -1,3 +0,0 @@
|
|||
[worker-from-guid.sub.html]
|
||||
[Expecting logs: ["violated-directive=connect-src","xhr blocked","TEST COMPLETE"\]]
|
||||
expected: FAIL
|
||||
|
|
@ -1,15 +1,3 @@
|
|||
[dedicatedworker-connect-src.html]
|
||||
[Cross-origin 'fetch()' in blob: with connect-src 'self']
|
||||
expected: FAIL
|
||||
|
||||
[Cross-origin XHR in blob: with connect-src 'self']
|
||||
expected: FAIL
|
||||
|
||||
[Same-origin => cross-origin 'fetch()' in blob: with connect-src 'self']
|
||||
expected: FAIL
|
||||
|
||||
[WebSocket in blob: with connect-src 'self']
|
||||
expected: FAIL
|
||||
|
||||
[Reports match in blob: with connect-src 'self']
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -1,6 +0,0 @@
|
|||
[referrer-origin-worker.html]
|
||||
[Request's referrer is origin]
|
||||
expected: FAIL
|
||||
|
||||
[Cross-origin referrer is overridden by client origin]
|
||||
expected: FAIL
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
[fetch.http.html]
|
||||
[Referrer Policy: Expects omitted for fetch to cross-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-https origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-https origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-https origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to same-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to same-https origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to same-https origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to same-https origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[worker-classic.http.html]
|
||||
[Referrer Policy: Expects omitted for worker-classic to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for worker-classic to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[worker-module.http.html]
|
||||
[Referrer Policy: Expects omitted for worker-module to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for worker-module to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,36 +0,0 @@
|
|||
[xhr.http.html]
|
||||
[Referrer Policy: Expects omitted for xhr to cross-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-https origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-https origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-https origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to same-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to same-https origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to same-https origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to same-https origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[fetch.http.html]
|
||||
[Referrer Policy: Expects origin for fetch to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects origin for fetch to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[worker-classic.http.html]
|
||||
[Referrer Policy: Expects origin for worker-classic to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects origin for worker-classic to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[worker-module.http.html]
|
||||
[Referrer Policy: Expects origin for worker-module to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects origin for worker-module to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[xhr.http.html]
|
||||
[Referrer Policy: Expects origin for xhr to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects origin for xhr to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
[fetch.http.html]
|
||||
[Referrer Policy: Expects omitted for fetch to cross-https origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to same-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-https origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to same-https origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for fetch to cross-https origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
[xhr.http.html]
|
||||
[Referrer Policy: Expects omitted for xhr to cross-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to same-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to same-https origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-https origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-https origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-https origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects omitted for xhr to cross-http origin and swap-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[fetch.http.html]
|
||||
[Referrer Policy: Expects origin for fetch to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects origin for fetch to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[worker-classic.http.html]
|
||||
[Referrer Policy: Expects origin for worker-classic to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects origin for worker-classic to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[worker-module.http.html]
|
||||
[Referrer Policy: Expects origin for worker-module to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects origin for worker-module to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +0,0 @@
|
|||
[xhr.http.html]
|
||||
[Referrer Policy: Expects origin for xhr to same-http origin and keep-origin redirection from http context.]
|
||||
expected: FAIL
|
||||
|
||||
[Referrer Policy: Expects origin for xhr to same-http origin and no-redirect redirection from http context.]
|
||||
expected: FAIL
|
||||
|
|
@ -1,6 +1,3 @@
|
|||
[workers.html]
|
||||
[Dedicated worker with local scheme inherits referrer policy from the creating document.]
|
||||
expected: FAIL
|
||||
|
||||
[Shared worker with local scheme inherits referrer policy from the creating document.]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -7,3 +7,6 @@
|
|||
|
||||
[Connecting to a shared worker on a revoked blob URL works.]
|
||||
expected: FAIL
|
||||
|
||||
[Blob URLs should not resolve relative to document base URL.]
|
||||
expected: FAIL
|
||||
|
|
|
|||
|
|
@ -27,3 +27,21 @@ promise_test(async t => {
|
|||
const reply = await message_from_port(worker);
|
||||
assert_equals(reply, run_result);
|
||||
}, 'Creating a dedicated worker from a blob URL works immediately before revoking.');
|
||||
|
||||
promise_test(async t => {
|
||||
const run_result = false;
|
||||
const blob_contents = `
|
||||
let constructedRequest = false;
|
||||
try {
|
||||
new Request("./file.js");
|
||||
constructedRequest = true;
|
||||
} catch (e) {}
|
||||
self.postMessage(constructedRequest);
|
||||
`;
|
||||
const blob = new Blob([blob_contents]);
|
||||
const url = URL.createObjectURL(blob);
|
||||
|
||||
const worker = new Worker(url);
|
||||
const reply = await message_from_port(worker);
|
||||
assert_equals(reply, run_result, "Should not be able to resolve request with relative file path in blob");
|
||||
}, 'Blob URLs should not resolve relative to document base URL.');
|
||||
|
|
|
|||
|
|
@ -51,3 +51,21 @@ promise_test(async t => {
|
|||
const reply2 = await message_from_port(worker2.port);
|
||||
assert_equals(reply2, run_result + '2');
|
||||
}, 'Connecting to a shared worker on a revoked blob URL works.');
|
||||
|
||||
promise_test(async t => {
|
||||
const run_result = false;
|
||||
const blob_contents = `
|
||||
let constructedRequest = false;
|
||||
try {
|
||||
new Request("./file.js");
|
||||
constructedRequest = true;
|
||||
} catch (e) {}
|
||||
self.postMessage(constructedRequest);
|
||||
`;
|
||||
const blob = new Blob([blob_contents]);
|
||||
const url = URL.createObjectURL(blob);
|
||||
|
||||
const worker = new SharedWorker(url);
|
||||
const reply = await message_from_port(worker);
|
||||
assert_equals(reply, run_result, "Should not be able to resolve request with relative file path in blob");
|
||||
}, 'Blob URLs should not resolve relative to document base URL.');
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue