chromium/third_party/blink/web_tests/external/wpt/content-security-policy/inside-worker/support/connect-src-self-report-only.sub.js

importScripts("{{location[server]}}/resources/testharness.js");
importScripts("{{location[server]}}/content-security-policy/support/testharness-helper.js");

let base_same_origin_url =
      "{{location[server]}}/content-security-policy/support/resource.py";

// Same-origin
promise_test(t => {
  let url = `${base_same_origin_url}?same-origin-fetch`;
  assert_no_csp_event_for_url(t, url);

  return fetch(url)
      .then(t.step_func(r => assert_equals(r.status, 200)));
}, "Same-origin 'fetch()'.");

// XHR is not available in service workers.
if (self.XMLHttpRequest) {
  promise_test(t => {
    let url = `${base_same_origin_url}?same-origin-xhr`;
    assert_no_csp_event_for_url(t, url);

    return new Promise((resolve, reject) => {
      var xhr = new XMLHttpRequest();
      xhr.open("GET", url);
      xhr.onload = resolve;
      xhr.onerror = _ => reject("xhr.open should success.");
      xhr.send();
    });
  }, "Same-origin XHR.");
}

let base_cross_origin_url =
      "https://{{hosts[][www]}}:{{ports[https][1]}}" +
      "/content-security-policy/support/resource.py";
let fetch_cross_origin_url = `${base_cross_origin_url}?cross-origin-fetch`;

// Cross-origin
promise_test(t => {
  let url = fetch_cross_origin_url;

  return Promise.all([
    waitUntilCSPEventForURL(t, url),
    fetch(url)
  ]);
}, "Cross-origin 'fetch()'.");

let xhr_cross_origin_url = `${base_cross_origin_url}?cross-origin-xhr`;

// XHR is not available in service workers.
if (self.XMLHttpRequest) {
  promise_test(t => {
    let url = xhr_cross_origin_url;

    return Promise.all([
      waitUntilCSPEventForURL(t, url),
      new Promise((resolve, reject) => {
        var xhr = new XMLHttpRequest();
        xhr.open("GET", url);
        xhr.onload = resolve;
        xhr.onerror = _ => reject("xhr.open should not have thrown.");
        xhr.send();
      })
    ]);
  }, "Cross-origin XHR.");
}

let redirect_url = `{{location[server]}}/common/redirect-opt-in.py?` +
      `status=307&location=${fetch_cross_origin_url}`;

// Same-origin redirecting to cross-origin
promise_test(t => {
  let url = redirect_url;

  return Promise.all([
    waitUntilCSPEventForURL(t, url),
    fetch(url)
  ]);
}, "Same-origin => cross-origin 'fetch()'.");

let websocket_url = "wss://{{host}}:{{ports[wss][0]}}/echo";

// The WebSocket URL is not the same as 'self'
promise_test(t => {
  return Promise.all([
    waitUntilCSPEventForURL(t, websocket_url),
    new Promise(resolve => {
      let ws = new WebSocket(websocket_url);
      ws.onopen = resolve;
    })
  ]);
}, "WebSocket.");

let expected_blocked_urls = self.XMLHttpRequest
    ? [ fetch_cross_origin_url, xhr_cross_origin_url, redirect_url, websocket_url ]
    : [ fetch_cross_origin_url, redirect_url, websocket_url ];

promise_test(async t => {
  let report_url = `{{location[server]}}/reporting/resources/report.py?` +
      `?op=retrieve_report&reportID={{GET[id]}}` +
      `&min_count=${expected_blocked_urls.length}`;

  let response = await fetch(report_url);
  assert_equals(response.status, 200, "Fetching reports failed");

  let response_json = await response.json();
  let reports = response_json.map(x => x["csp-report"]);

  assert_array_equals(
      reports.map(x => x["blocked-uri"]).sort(),
      expected_blocked_urls.sort(),
      "Reports do not match");
  reports.forEach(x => {
    assert_equals(
        x["violated-directive"], "connect-src",
        "Violated directive in report does not match");
    assert_equals(
        x["effective-directive"], "connect-src",
        "Effective directive in report does not match");
    assert_equals(
        x["disposition"], "report",
        "Disposition in report does not match");
    assert_equals(
        x["document-uri"],
        "{{location[server]}}/content-security-policy/inside-worker/" +
          "support/connect-src-self-report-only.sub.js?id={{GET[id]}}",
        "Document uri in report does not match");
  });
});

done();