| <!DOCTYPE html> |
| <meta charset="utf-8"> |
| <script src="/resources/testharness.js"></script> |
| <script src="/resources/testharnessreport.js"></script> |
| <script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script> |
| <body> |
| <script> |
| let frame = null; |
| let worker = null; |
| const scope = 'support/empty.html'; |
| const script = 'support/sandboxed-service-worker.js'; |
| |
| // Currently, sandbox directives for workers are not specified |
| // https://github.com/w3c/webappsec-csp/issues/279 |
| // and thus this test asserts that the origin of ServiceWorker is not sandboxed. |
| |
| // Global setup: this must be the first promise_test. |
| promise_test(async (t) => { |
| const registration = |
| await service_worker_unregister_and_register(t, script, scope); |
| worker = registration.installing; |
| await wait_for_state(t, worker, 'activated'); |
| frame = await with_iframe(scope); |
| |
| // Global cleanup: the final promise_test. |
| promise_test(() => { |
| if (frame) |
| frame.remove(); |
| return registration.unregister(); |
| }, 'global cleanup'); |
| }, 'global setup'); |
| |
| promise_test(async (t) => { |
| const r = await frame.contentWindow.fetch('/get-origin', {mode: 'cors'}); |
| const j = await r.json(); |
| assert_equals(j.origin, location.origin, 'Origin should not be sandboxed'); |
| }, 'Origin of service worker'); |
| |
| promise_test(async (t) => { |
| const r = await frame.contentWindow.fetch('/get-origin', |
| {mode: 'same-origin'}); |
| const j = await r.json(); |
| assert_equals(j.origin, location.origin, 'Origin should not be opaque'); |
| }, 'Response generated by service worker can be fetched as same-origin'); |
| |
| // Because the origin of service worker should be `location.origin`, |
| // fetches from service worker to `location.origin` should be successful. |
| for (const mode of ['same-origin', 'cors']) { |
| for (const hasACAOrigin of [true, false]) { |
| promise_test(async (t) => { |
| const final_url = new URL('/fetch/api/resources/', location); |
| final_url.pathname += hasACAOrigin ? 'cors-top.txt' : 'top.txt'; |
| final_url.searchParams.set('hash', Math.random()); |
| |
| const url = new URL('/fetch', location); |
| url.searchParams.set('url', final_url); |
| url.searchParams.set('hash', Math.random()); |
| const r = await frame.contentWindow.fetch(url, {mode}); |
| const text = await r.text(); |
| assert_equals(text, 'top'); |
| }, 'Origin used in fetch on service worker (mode: ' + |
| mode + |
| (hasACAOrigin ? ', with ACAOrigin' : '') + |
| ')'); |
| } |
| } |
| </script> |