[WPT] Check origin used in module import in dedicated workers

DedicatedWorker version of WPTs added in: https://chromium-review.googlesource.com/c/chromium/src/+/2046803 https://github.com/web-platform-tests/wpt/pull/21836 Bug: None Change-Id: Ic18e09f7855bc234b6179ae24b54a8d0473551aa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2462910 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#827538}

[WPT] Check origin used in module import in dedicated workers
DedicatedWorker version of WPTs added in: https://chromium-review.googlesource.com/c/chromium/src/+/2046803 https://github.com/web-platform-tests/wpt/pull/21836 Bug: None Change-Id: Ic18e09f7855bc234b6179ae24b54a8d0473551aa Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2462910 Commit-Queue: Hiroshige Hayashizaki <hiroshige@chromium.org> Reviewed-by: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#827538}
ea584430 · Hiroshige Hayashizaki · Commit Bot · 72ee4235 · ea584430
Commit ea584430 authored Nov 14, 2020 by Hiroshige Hayashizaki Committed by Commit Bot Nov 14, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 43 additions and 0 deletions

third_party/blink/web_tests/external/wpt/workers/modules/dedicated-worker-import-data-url-cross-origin.html ...odules/dedicated-worker-import-data-url-cross-origin.html +43 -0

No files found.
--- a/third_party/blink/web_tests/external/wpt/workers/modules/dedicated-worker-import-data-url-cross-origin.html
+++ b/third_party/blink/web_tests/external/wpt/workers/modules/dedicated-worker-import-data-url-cross-origin.html
+<!DOCTYPE html>
+<title>DedicatedWorker: ES modules for data URL workers</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script>
+
+const import_from_data_url_worker_test = (importType, isDataURL, expectation) => {
+  promise_test(async () => {
+    const importURL = new URL(`resources/${importType}-import-` +
+        `${isDataURL ? 'data-url' : 'script'}-block-cross-origin.js`,
+        location.href) + '?pipe=header(Access-Control-Allow-Origin, *)';
+    const dataURL = `data:text/javascript,import "${importURL}";`;
+    const worker = new Worker(dataURL, { type: 'module' });
+    worker.postMessage('Send message for tests from main script.');
+    const msgEvent =
+        await new Promise(resolve => worker.onmessage = resolve);
+    assert_array_equals(msgEvent.data,
+        expectation === 'blocked' ? ['ERROR']
+                                  : ['export-block-cross-origin.js']);
+  }, `${importType} import ${isDataURL ? 'data url' : 'script'} from data: ` +
+     `URL should be ${expectation}.`);
+}
+
+// Static import should obey the outside settings.
+// SecurityOrigin of the outside settings is decided by Window.
+import_from_data_url_worker_test('static', true, 'allowed');
+import_from_data_url_worker_test('static', false, 'allowed');
+
+
+// Dynamic import should obey the inside settings.
+// SecurityOrigin of the inside settings is a unique opaque origin.
+//
+// Data url script is cross-origin to the inside settings' SecurityOrigin, but
+// dynamic importing it is allowed.
+// https://fetch.spec.whatwg.org/#concept-main-fetch
+// Step 5: request’s current URL’s scheme is "data" [spec text]
+import_from_data_url_worker_test('dynamic', true, 'allowed');
+
+// Non-data url script is cross-origin to the inside settings' SecurityOrigin.
+// It should be blocked.
+import_from_data_url_worker_test('dynamic', false, 'blocked');
+
+</script>