Update web-platform-tests to revision be5419e845d39089ba6dc338c1bd0fa279108317

2025-08-11 08:25:32 +01:00 · 2018-01-04 13:44:24 -05:00 · 2018-01-04 13:44:24 -05:00 · 2b6f573eb5
commit 2b6f573eb5
parent aa199307c8
3440 changed files with 109438 additions and 41750 deletions
--- a/tests/wpt/web-platform-tests/worklets/resources/csp-tests.js
+++ b/tests/wpt/web-platform-tests/worklets/resources/csp-tests.js
@ -22,16 +22,13 @@ function openWindowAndExpectResult(windowURL, scriptURL, type, expectation) {
 // Usage:
 // runContentSecurityPolicyTests("paint");
 function runContentSecurityPolicyTests(workletType) {
-  const worklet = get_worklet(workletType);
-
  promise_test(t => {
    const kWindowURL =
        'resources/addmodule-window.html?pipe=header(' +
        'Content-Security-Policy, script-src \'self\' \'unsafe-inline\')';
    const kScriptURL =
        get_host_info().HTTPS_REMOTE_ORIGIN +
-        '/worklets/resources/import-empty-worklet-script.js' +
-        '?pipe=header(Access-Control-Allow-Origin, *)';
+        '/worklets/resources/import-empty-worklet-script-with-cors-header.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'REJECTED');
  }, 'Importing a remote-origin worklet script should be blocked by the ' +
@ -51,9 +48,9 @@ function runContentSecurityPolicyTests(workletType) {
    const kWindowURL =
        'resources/addmodule-window.html?pipe=header(' +
        'Content-Security-Policy, script-src * \'unsafe-inline\')';
-    const kScriptURL = get_host_info().HTTPS_REMOTE_ORIGIN +
-                       '/worklets/resources/empty-worklet-script.js' +
-                       '?pipe=header(Access-Control-Allow-Origin, *)';
+    const kScriptURL =
+        get_host_info().HTTPS_REMOTE_ORIGIN +
+        '/worklets/resources/empty-worklet-script-with-cors-header.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'RESOLVED');
  }, 'Importing a remote-origin worklet script should not be blocked ' +
@ -65,9 +62,9 @@ function runContentSecurityPolicyTests(workletType) {
        'Content-Security-Policy, script-src * \'unsafe-inline\')';
    // A worklet on HTTPS_REMOTE_ORIGIN will import a child script on
    // HTTPS_REMOTE_ORIGIN.
-    const kScriptURL = get_host_info().HTTPS_REMOTE_ORIGIN +
-                       '/worklets/resources/import-empty-worklet-script.js' +
-                       '?pipe=header(Access-Control-Allow-Origin, *)';
+    const kScriptURL =
+        get_host_info().HTTPS_REMOTE_ORIGIN +
+        '/worklets/resources/import-empty-worklet-script-with-cors-header.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'RESOLVED');
  }, 'Importing a remote-origin script from a remote-origin worklet script '+
@ -77,12 +74,57 @@ function runContentSecurityPolicyTests(workletType) {
    const kWindowURL =
        'resources/addmodule-window.html?pipe=header(' +
        'Content-Security-Policy, worker-src \'self\' \'unsafe-inline\')';
-    const kScriptURL = get_host_info().HTTPS_REMOTE_ORIGIN +
-                       '/worklets/resources/empty-worklet-script.js' +
-                       '?pipe=header(Access-Control-Allow-Origin, *)';
+    const kScriptURL =
+        get_host_info().HTTPS_REMOTE_ORIGIN +
+        '/worklets/resources/empty-worklet-script-with-cors-header.js';
    return openWindowAndExpectResult(
        kWindowURL, kScriptURL, workletType, 'RESOLVED');
  }, 'Importing a remote-origin worklet script should not be blocked by ' +
     'the worker-src directive because worklets obey the script-src ' +
     'directive.');
+
+  promise_test(t => {
+    const kWindowURL = 'resources/addmodule-window.html';
+    const kScriptURL =
+        get_host_info().HTTP_ORIGIN +
+        '/worklets/resources/empty-worklet-script.js';
+    return openWindowAndExpectResult(
+        kWindowURL, kScriptURL, workletType, 'REJECTED');
+  }, 'Importing an insecure-origin worklet script should be blocked because ' +
+     'of mixed contents.');
+
+  promise_test(t => {
+    const kWindowURL = 'resources/addmodule-window.html?pipe=header(' +
+                       'Content-Security-Policy, upgrade-insecure-requests)';
+    // This test relies on some unintuitive cleverness due to WPT's test setup:
+    // 'Upgrade-Insecure-Requests' does not upgrade the port number, so we use
+    // URLs in the form `http://[host]:[https-port]`. If the upgrade fails, the
+    // load will fail, as we don't serve HTTP over the secure port.
+    const kHost = get_host_info().ORIGINAL_HOST;
+    const kPort = get_host_info().HTTPS_PORT;
+    const kScriptURL =
+        `http://${kHost}:${kPort}/worklets/resources/empty-worklet-script.js`;
+    return openWindowAndExpectResult(
+        kWindowURL, kScriptURL, workletType, 'RESOLVED');
+  }, 'Importing an insecure-origin worklet script should not be blocked ' +
+     'because the upgrade-insecure-requests directive translates it as the ' +
+     'secure origin.');
+
+  promise_test(t => {
+    const kWindowURL = 'resources/addmodule-window.html';
+    const kScriptURL = 'import-insecure-origin-empty-worklet-script.sub.js';
+    return openWindowAndExpectResult(
+        kWindowURL, kScriptURL, workletType, 'REJECTED');
+  }, 'Importing an insecure-origin script from a secure-origin worklet ' +
+     'script should be blocked because of mixed contents.');
+
+  promise_test(t => {
+    const kWindowURL = 'resources/addmodule-window.html?pipe=header(' +
+                       'Content-Security-Policy, upgrade-insecure-requests)';
+    const kScriptURL = 'import-insecure-origin-empty-worklet-script.sub.js';
+    return openWindowAndExpectResult(
+        kWindowURL, kScriptURL, workletType, 'RESOLVED');
+  }, 'Importing an insecure-origin script from a secure-origin worklet ' +
+     'script should not be blocked because the upgrade-insecure-requests ' +
+     'directive translates it as the secure origin.');
 }