chromium/third_party/blink/web_tests/http/tests/security/isolatedWorld/resources/isolated-world-fetch-csp.js

function testFetch(expectBlocked, redirect) {
  let url =
      'http://127.0.0.1:8000/security/isolatedWorld/resources/access_control_allow_origin.php';

  if (redirect) {
    url = `http://127.0.0.1:8000/resources/redirect.php?url=${
        url}&cors_allow_origin=*&delay=100`;
  }

  fetch(url)
      .then(function(response) {
        return response.text();
      })
      .then(function(responseText) {
        const success = responseText == 'Hello world';
        if (expectBlocked) {
          console.log(
              'FAIL: Request succeeded unexpectedly with response ' +
              responseText);
        } else if (!success) {
          console.log(
              'FAIL: Request succeeded with incorrect response ' +
              responseText);
        } else {
          console.log('PASS: Request succeeded as expected.');
        }
      })
      .catch(function(error) {
        if (expectBlocked)
          console.log('PASS: Request blocked by CSP as expected.');
        else
          console.log('FAIL: Request failed unexpectedly.');
      })
      .finally(function() {
        window.postMessage('next', '*');
      });
}

const isolatedWorldId = 1;
const isolatedWorldSecurityOrigin = 'chrome-extensions://123';

function testFetchInIsolatedWorld(expectBlocked, redirect) {
  const expectBlockedStr = expectBlocked ? 'true' : 'false';
  const redirectStr = redirect ? 'true' : 'false';
  testRunner.evaluateScriptInIsolatedWorld(
      isolatedWorldId,
      String(eval('testFetch')) +
          `\ntestFetch(${expectBlockedStr}, ${redirectStr});`);
}

const tests = [
  function() {
    console.log(
        'Testing main world. Request should be blocked by main world CSP.');
    testFetch(true);
  },
  function() {
    console.log(
        'Testing isolated world with no csp. Request should be blocked by ' +
        'main world CSP.');
    testRunner.setIsolatedWorldInfo(isolatedWorldId, null, null);
    testFetchInIsolatedWorld(true);
  },
  function() {
    console.log('Testing isolated world with permissive csp.');
    testRunner.setIsolatedWorldInfo(
        isolatedWorldId, isolatedWorldSecurityOrigin, 'connect-src *');
    testFetchInIsolatedWorld(false);
  },
  function() {
    console.log(
        'Testing fetch redirect in isolated world with permissive csp.');
    testRunner.setIsolatedWorldInfo(
        isolatedWorldId, isolatedWorldSecurityOrigin, 'connect-src *');
    testFetchInIsolatedWorld(false, true /* redirect */);
  },
  function() {
    console.log('Testing isolated world with strict csp.');
    testRunner.setIsolatedWorldInfo(
        isolatedWorldId, isolatedWorldSecurityOrigin, 'connect-src \'self\'');
    testFetchInIsolatedWorld(true);

    // Clear the isolated world data.
    testRunner.setIsolatedWorldInfo(1, null, null);
  },
  function() {
    console.log('Testing fetch redirect in isolated world with strict csp.');
    testRunner.setIsolatedWorldInfo(
        isolatedWorldId, isolatedWorldSecurityOrigin, 'connect-src \'self\'');
    testFetchInIsolatedWorld(true, true /* redirect */);
  },
];

// This test is meaningless without testRunner.
if (window.testRunner) {
  testRunner.dumpAsText();
  testRunner.waitUntilDone();

  let currentTest = 0;
  window.addEventListener('message', function(e) {
    if (e.data == 'next') {
      // Move to the next test.
      currentTest++;
      if (currentTest == tests.length) {
        testRunner.notifyDone();
        return;
      }

      // Move to the next sub-test.
      tests[currentTest]();
    }
  }, false);

  tests[0]();
}