Bug 1538300 [wpt PR 15919] - [Import Maps] Apply inline-script CSP checks to import maps, a=testonly

Automatic update from web-platform-tests [Import Maps] Apply inline-script CSP checks to import maps Bug: 941340 Change-Id: I1d8d6aebad4650b638f0b7ccdbfae55d398e905e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1525017 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Cr-Commit-Position: refs/heads/master@{#642608} -- wpt-commits: 3833cc35db619aa9b375ac795a0da3c44c7a8b99 wpt-pr: 15919
2019-04-15 14:36:39 +00:00 · 2019-04-15 14:36:39 +00:00 · de860d15d8
--- a/testing/web-platform/tests/import-maps/csp/applied-to-target-dynamic.sub.tentative.html
+++ b/testing/web-platform/tests/import-maps/csp/applied-to-target-dynamic.sub.tentative.html
@ -0,0 +1,26 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/test-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+<script type="importmap">
+{
+  "imports": {
+    "../resources/log.js?pipe=sub&name=A": "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=B",
+    "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C": "../resources/log.js?pipe=sub&name=D"
+  }
+}
+</script>
+<script>
+promise_test(t => {
+    return promise_rejects(t, TypeError(),
+                           import('../resources/log.js?pipe=sub&name=A'),
+                           'Dynamic import should fail');
+  }, 'The URL after mapping violates CSP (but not the URL before mapping)');
+
+promise_test(t => {
+    return import('https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C')
+      .then(() => assert_array_equals(log, ["log:D"]));
+  }, 'The URL before mapping violates CSP (but not the URL after mapping)');
+</script>
--- a/testing/web-platform/tests/import-maps/csp/applied-to-target.sub.tentative.html
+++ b/testing/web-platform/tests/import-maps/csp/applied-to-target.sub.tentative.html
@ -0,0 +1,31 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="../resources/test-helper.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+<script type="importmap">
+{
+  "imports": {
+    "../resources/log.js?pipe=sub&name=A": "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=B",
+    "https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C": "../resources/log.js?pipe=sub&name=D"
+  }
+}
+</script>
+<script type="module">
+import '../resources/log.js?pipe=sub&name=A';
+</script>
+<script type="module">
+test(t => {
+    assert_array_equals(log, []);
+  }, 'The URL after mapping violates CSP (but not the URL before mapping)');
+</script>
+
+<script type="module">
+import 'https://{{domains[www1]}}:{{ports[https][0]}}/import-maps/resources/log.js?pipe=sub&name=C';
+</script>
+<script type="module">
+test(t => {
+    assert_array_equals(log, ["log:D"]);
+  }, 'The URL before mapping violates CSP (but not the URL after mapping)');
+</script>
--- a/testing/web-platform/tests/import-maps/csp/hash-failure.tentative.html
+++ b/testing/web-platform/tests/import-maps/csp/hash-failure.tentative.html
@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-wrong9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/wrong=' 'sha256-RAsyam34o4peVe9sCebtaZWRVhqAhudem+NlcnP2Kp8=';">
+
+<!-- 'sha256-P5xqp9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/1PO1I=' -->
+<script type="importmap">
+{
+  "imports": {
+    "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+  }
+}
+</script>
+
+<!-- 'sha256-RAsyam34o4peVe9sCebtaZWRVhqAhudem+NlcnP2Kp8=' -->
+<script>
+const log = [];
+promise_test(() => {
+  return import("../resources/log.js?pipe=sub&name=A")
+    .then(() => assert_array_equals(log, ["log:A"]))
+  },
+  'Importmap should not be accepted due to wrong hash');
+</script>
--- a/testing/web-platform/tests/import-maps/csp/hash.tentative.html
+++ b/testing/web-platform/tests/import-maps/csp/hash.tentative.html
@ -0,0 +1,24 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'sha256-P5xqp9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/1PO1I=' 'sha256-Ciqph+wQDoB2suzqZVHOD0iw99WqaTUwZXRl7ATzBxc=';">
+
+<!-- 'sha256-P5xqp9e+pZbSYIkpB8BIE0Hs7yHajJDiX5mnT/1PO1I=' -->
+<script type="importmap">
+{
+  "imports": {
+    "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+  }
+}
+</script>
+
+<!-- 'sha256-Ciqph+wQDoB2suzqZVHOD0iw99WqaTUwZXRl7ATzBxc=' -->
+<script>
+const log = [];
+promise_test(() => {
+  return import("../resources/log.js?pipe=sub&name=A")
+    .then(() => assert_array_equals(log, ["log:B"]))
+  },
+  'Importmap should be accepted due to hash');
+</script>
--- a/testing/web-platform/tests/import-maps/csp/nonce-failure.tentative.html
+++ b/testing/web-platform/tests/import-maps/csp/nonce-failure.tentative.html
@ -0,0 +1,27 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';">
+<script type="importmap">
+{
+  "imports": {
+    "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+  }
+}
+</script>
+<script type="importmap" nonce="wrong">
+{
+  "imports": {
+    "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+  }
+}
+</script>
+<script nonce="abc">
+const log = [];
+promise_test(() => {
+  return import("../resources/log.js?pipe=sub&name=A")
+    .then(() => assert_array_equals(log, ["log:A"]))
+  },
+  'Importmap should be rejected due to nonce');
+</script>
--- a/testing/web-platform/tests/import-maps/csp/nonce.tentative.html
+++ b/testing/web-platform/tests/import-maps/csp/nonce.tentative.html
@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc';">
+<script type="importmap" nonce="abc">
+{
+  "imports": {
+    "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+  }
+}
+</script>
+<script nonce="abc">
+const log = [];
+promise_test(() => {
+  return import("../resources/log.js?pipe=sub&name=A")
+    .then(() => assert_array_equals(log, ["log:B"]))
+  },
+  'Importmap should be accepted according to its correct nonce');
+</script>
--- a/testing/web-platform/tests/import-maps/csp/unsafe-inline.tentative.html
+++ b/testing/web-platform/tests/import-maps/csp/unsafe-inline.tentative.html
@ -0,0 +1,20 @@
+<!DOCTYPE html>
+<html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="script-src 'self' 'unsafe-inline';">
+<script type="importmap">
+{
+  "imports": {
+    "../resources/log.js?pipe=sub&name=A": "../resources/log.js?pipe=sub&name=B"
+  }
+}
+</script>
+<script>
+const log = [];
+promise_test(() => {
+  return import("../resources/log.js?pipe=sub&name=A")
+    .then(() => assert_array_equals(log, ["log:B"]))
+  },
+  'Importmap should be accepted due to unsafe-inline');
+</script>