Update web-platform-tests to revision ee82278e15570e573d87fb80179ff8231b6db61a

tests/wpt/web-platform-tests/workers/modules/dedicated-worker-import-csp.html

@@ -0,0 +1,114 @@
+<!DOCTYPE html>
+<title>DedicatedWorker: CSP for ES Modules</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+async function openWindow(url) {
+  const win = window.open(url, '_blank');
+  add_result_callback(() => win.close());
+  const msg_event = await new Promise(resolve => window.onmessage = resolve);
+  assert_equals(msg_event.data, 'LOADED');
+  return win;
+}
+
+function import_csp_test(
+    cspHeader, scriptURL, expectedImportedModules, description) {
+  const windowURL =
+      `resources/new-worker-window.html?pipe=header(` +
+          `Content-Security-Policy, ${cspHeader})`;
+  promise_test(async () => {
+    // Open a window that has the given CSP header.
+    const win = await openWindow(windowURL);
+    // Ask the window to start a dedicated worker. The worker inherits the
+    // window's CSP header.
+    // https://w3c.github.io/webappsec-csp/#initialize-global-object-csp
+    win.postMessage(scriptURL, '*');
+    const msg_event = await new Promise(resolve => window.onmessage = resolve);
+    assert_array_equals(msg_event.data, expectedImportedModules);
+  }, description);
+}
+
+// Tests for static import.
+//
+// Static import should obey the worker-src directive and the script-src
+// directive. If the both directives are specified, the worker-src directive
+// should be prioritized.
+//
+// Step 1: "If the result of executing 6.6.1.11 Get the effective directive for
+// request on request is "worker-src", and policy contains a directive whose
+// name is "worker-src", return "Allowed"."
+// "Note: If worker-src is present, we’ll defer to it when handling worker
+// requests."
+// https://w3c.github.io/webappsec-csp/#script-src-pre-request
+
+import_csp_test(
+    "worker-src 'self' 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ['ERROR'],
+    "worker-src 'self' directive should disallow cross origin static import.");
+
+import_csp_test(
+    "worker-src * 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "worker-src * directive should allow cross origin static import.")
+
+import_csp_test(
+    "script-src 'self' 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ['ERROR'],
+    "script-src 'self' directive should disallow cross origin static import.");
+
+import_csp_test(
+    "script-src * 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "script-src * directive should allow cross origin static import.")
+
+import_csp_test(
+    "worker-src *; script-src 'self' 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "worker-src * directive should override script-src 'self' directive and " +
+        "allow cross origin static import.");
+
+import_csp_test(
+    "worker-src 'self'; script-src * 'unsafe-inline'",
+    "static-import-remote-origin-script-worker.sub.js",
+    ['ERROR'],
+    "worker-src 'self' directive should override script-src * directive and " +
+        "disallow cross origin static import.");
+
+// Tests for dynamic import.
+//
+// Dynamic import should obey the script-src directive instead of the worker-src
+// directive according to the specs:
+//
+// Dynamic import has the "script" destination.
+// Step 2.4: "Fetch a module script graph given url, ..., "script", ..."
+// https://html.spec.whatwg.org/multipage/webappapis.html#hostimportmoduledynamically(referencingscriptormodule,-specifier,-promisecapability)
+//
+// The "script" destination should obey the script-src CSP directive.
+// Step 2: "If request's destination is script-like:"
+// https://w3c.github.io/webappsec-csp/#script-src-pre-request
+
+import_csp_test(
+    "script-src 'self' 'unsafe-inline'",
+    "dynamic-import-remote-origin-script-worker.sub.js",
+    ['ERROR'],
+    "script-src 'self' directive should disallow cross origin dynamic import.");
+
+import_csp_test(
+    "script-src * 'unsafe-inline'",
+    "dynamic-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "script-src * directive should allow cross origin dynamic import.")
+
+import_csp_test(
+    "worker-src 'self' 'unsafe-inline'",
+    "dynamic-import-remote-origin-script-worker.sub.js",
+    ["export-on-load-script.js"],
+    "worker-src 'self' directive should not take effect on dynamic import.");
+
+</script>

tests/wpt/web-platform-tests/workers/modules/dedicated-worker-options-credentials.html

@@ -17,61 +17,68 @@ function DetermineExpectedCookieValue(options) {
     return 'COOKIE_VALUE';
   assert_equals(options.type, 'module');
 
-  if (!options.credentials || options.credentials == 'omit')
-    return '';
-  if (options.credentials == 'same-origin' || options.credentials == 'include')
+  if (!options.credentials ||
+      options.credentials == 'same-origin' ||
+      options.credentials == 'include') {
     return 'COOKIE_VALUE';
+  }
+  if (options.credentials == 'omit')
+    return '';
   assert_unreached('Invalid credentials option was specified: ' +
                    options.credentials);
 }
 
 // Runs a credentials test with the given WorkerOptions.
-async function runCredentialsTest(options) {
-  const worker = new Worker('resources/credentials.py', options);
+function credentials_test(options, description) {
+  promise_test(async () => {
+    const worker = new Worker('resources/credentials.py', options);
 
-  // Wait until the worker sends the actual cookie value.
-  const msg_event = await new Promise(resolve => worker.onmessage = resolve);
+    // Wait until the worker sends the actual cookie value.
+    const msg_event = await new Promise(resolve => worker.onmessage = resolve);
 
-  const expectedCookieValue = DetermineExpectedCookieValue(options);
-  assert_equals(msg_event.data, expectedCookieValue);
+    const expectedCookieValue = DetermineExpectedCookieValue(options);
+    assert_equals(msg_event.data, expectedCookieValue);
+  }, description);
 }
 
 // Tests for module scripts.
 
-promise_test(() => runCredentialsTest({ type: 'module'}),
-    'new Worker() with the default credentials option should not send ' +
-    'the credentials');
+credentials_test(
+    { type: 'module'},
+    'new Worker() with the default credentials option should behave as ' +
+    'credentials=same-origin and send the credentials');
 
-promise_test(() => runCredentialsTest({ credentials: 'omit',
-                                        type: 'module' }),
+credentials_test(
+    { credentials: 'omit', type: 'module' },
     'new Worker() with credentials=omit should not send the credentials');
 
-promise_test(() => runCredentialsTest({ credentials: 'same-origin',
-                                        type: 'module' }),
+credentials_test(
+    { credentials: 'same-origin', type: 'module' },
     'new Worker() with credentials=same-origin should send the credentials');
 
-promise_test(() => runCredentialsTest({ credentials: 'include',
-                                        type: 'module' }),
+credentials_test(
+    { credentials: 'include', type: 'module' },
     'new Worker() with credentials=include should send the credentials');
 
 // Tests for classic scripts.
 
-promise_test(() => runCredentialsTest({ type: 'classic' }),
+credentials_test(
+    { type: 'classic' },
     'new Worker() with type=classic should always send the credentials ' +
     'regardless of the credentials option (default).');
 
-promise_test(() => runCredentialsTest({ credentials: 'omit',
-                                        type: 'classic' }),
+credentials_test(
+    { credentials: 'omit', type: 'classic' },
     'new Worker() with type=classic should always send the credentials ' +
     'regardless of the credentials option (omit).');
 
-promise_test(() => runCredentialsTest({ credentials: 'same-origin',
-                                        type: 'classic' }),
+credentials_test(
+    { credentials: 'same-origin', type: 'classic' },
     'new Worker() with type=classic should always send the credentials ' +
     'regardless of the credentials option (same-origin).');
 
-promise_test(() => runCredentialsTest({ credentials: 'include',
-                                        type: 'classic' }),
+credentials_test(
+    { credentials: 'include', type: 'classic' },
     'new Worker() with type=classic should always send the credentials ' +
     'regardless of the credentials option (include).');
 

tests/wpt/web-platform-tests/workers/modules/resources/dynamic-import-remote-origin-script-worker.sub.js

@@ -0,0 +1,4 @@
+// Import a remote origin script.
+import('https://{{domains[www1]}}:{{ports[https][0]}}/workers/modules/resources/export-on-load-script.js')
+  .then(module => postMessage(module.importedModules))
+  .catch(e => postMessage(['ERROR']));

tests/wpt/web-platform-tests/workers/modules/resources/export-on-load-script.js.headers

@@ -0,0 +1 @@
+Access-Control-Allow-Origin: *

tests/wpt/web-platform-tests/workers/modules/resources/new-worker-window.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<title>DedicatedWorker: new Worker()</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+let worker;
+
+// Creates a new dedicated worker for a given script url.
+window.onmessage = e => {
+  worker = new Worker(e.data, { type: 'module' });
+  worker.onmessage = msg => window.opener.postMessage(msg.data, '*');
+  worker.onerror = err => window.opener.postMessage(['ERROR'], '*');
+};
+window.opener.postMessage('LOADED', '*');
+</script>

tests/wpt/web-platform-tests/workers/modules/resources/static-import-remote-origin-script-worker.sub.js

@@ -0,0 +1,3 @@
+// Import a remote origin script.
+import * as module from 'https://{{domains[www1]}}:{{ports[https][0]}}/workers/modules/resources/export-on-load-script.js';
+postMessage(module.importedModules);