chromium/third_party/blink/web_tests/external/wpt/content-security-policy/sandbox/service-worker-sandbox.https.html

<!DOCTYPE html>
<meta charset="utf-8">
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/service-workers/service-worker/resources/test-helpers.sub.js"></script>
<body>
<script>
let frame = null;
let worker = null;
const scope = 'support/empty.html';
const script = 'support/sandboxed-service-worker.js';

// Currently, sandbox directives for workers are not specified
// https://github.com/w3c/webappsec-csp/issues/279
// and thus this test asserts that the origin of ServiceWorker is not sandboxed.

// Global setup: this must be the first promise_test.
promise_test(async (t) => {
  const registration =
      await service_worker_unregister_and_register(t, script, scope);
  worker = registration.installing;
  await wait_for_state(t, worker, 'activated');
  frame = await with_iframe(scope);

  // Global cleanup: the final promise_test.
  promise_test(() => {
    if (frame)
      frame.remove();
     return registration.unregister();
  }, 'global cleanup');
}, 'global setup');

promise_test(async (t) => {
  const r = await frame.contentWindow.fetch('/get-origin', {mode: 'cors'});
  const j = await r.json();
  assert_equals(j.origin, location.origin, 'Origin should not be sandboxed');
}, 'Origin of service worker');

promise_test(async (t) => {
  const r = await frame.contentWindow.fetch('/get-origin',
                                            {mode: 'same-origin'});
  const j = await r.json();
  assert_equals(j.origin, location.origin, 'Origin should not be opaque');
}, 'Response generated by service worker can be fetched as same-origin');

// Because the origin of service worker should be `location.origin`,
// fetches from service worker to `location.origin` should be successful.
for (const mode of ['same-origin', 'cors']) {
  for (const hasACAOrigin of [true, false]) {
    promise_test(async (t) => {
      const final_url = new URL('/fetch/api/resources/', location);
      final_url.pathname += hasACAOrigin ? 'cors-top.txt' : 'top.txt';
      final_url.searchParams.set('hash', Math.random());

      const url = new URL('/fetch', location);
      url.searchParams.set('url', final_url);
      url.searchParams.set('hash', Math.random());
      const r = await frame.contentWindow.fetch(url, {mode});
      const text = await r.text();
      assert_equals(text, 'top');
    }, 'Origin used in fetch on service worker (mode: ' +
       mode +
       (hasACAOrigin ? ', with ACAOrigin' : '') +
       ')');
  }
}
</script>