[CSP] Add WPT for reports sent by workers

This CL adds Web Platform Tests for Content Security Policy, checking
that dedicated and shared workers send reports on violations.

The tests are failing at the moment, since chrome does not support
reporting for workers yet. This fill we fixed in a follow-up patch.

This CL also fixes the dedicated worker tests to check that CSP are
not inherited by the creator. Chrome implements the wrong behaviour
here, and that should be addressed in a separate change.

Bug: 929370,1012640
Change-Id: Iaf4c4db42714948315376986673e6e1385e566a9
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2965920
Reviewed-by: Arthur Sonzogni <[email protected]>
Commit-Queue: Antonio Sartori <[email protected]>
Cr-Commit-Position: refs/heads/master@{#893457}

content-security-policy/inside-worker/dedicatedworker-connect-src.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on dedicated workers -->
+<script>
+  let reportCookieName = location.pathname.split('/')[
+    location.pathname.split('/').length - 1].split('.')[0];
+  let reportID = document.cookie.split('; ')
+      .find(cookie => cookie.startsWith(reportCookieName + '='))
+      .split('=')[1].trim();
+
+  promise_test(async t => {
+    // Dedicated workers honor CSP received in their response headers.
+    await fetch_tests_from_worker(
+      new Worker(
+        `./support/connect-src-self.sub.js?id=${reportID}` +
+          `&test-name=connect-src 'self'` +
+          `&pipe=sub|header(Content-Security-Policy,` +
+          `connect-src 'self' ; report-uri ` +
+          `/reporting/resources/report.py?op=put%26reportID=${reportID})`));
+
+
+    let blob = await fetch(`./support/connect-src-self.sub.js?id=${reportID}` +
+                        `&test-name=connect-src 'self'`)
+        .then(r => r.blob());
+
+    // 'blob:' URL workers inherit CSP.
+    let blob_url = URL.createObjectURL(blob);
+    await fetch_tests_from_worker(new Worker(blob_url));
+
+    if (window.webkitRequestFileSystem) {
+      // 'filesystem:' URL workers inherit CSP.
+      let fs = await new Promise(resolve =>
+        window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, resolve));
+
+      let fs_entry = await new Promise(resolve =>
+        fs.root.getFile('dedicated-inheritance-worker.js',
+                        { create: true }, resolve));
+
+      let writer = await new Promise(resolve => fs_entry.createWriter(resolve));
+
+      writer.onerror = t.unreached_func("Could not write to filesystem entry");
+
+      writer.write(blob);
+      await new Promise(resolve => writer.onwriteend = resolve);
+
+      let fs_url = fs_entry.toURL();
+      await fetch_tests_from_worker(new Worker(fs_url));
+    }
+
+    // Dedicated workers do not inherit CSP in general.
+    // We put this at the end since chrome is failing this at the moment, and
+    // this sends reports which would make the report checks in the other tests
+    // fail.
+    await fetch_tests_from_worker(
+      new Worker("./support/connect-src-allow.sub.js"));
+  });
+</script>

content-security-policy/inside-worker/dedicatedworker-connect-src.html.sub.headers

@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: dedicatedworker-connect-src={{$id:uuid()}}; Path=/content-security-policy/inside-worker/
+Content-Security-Policy: connect-src 'self' ; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}

content-security-policy/inside-worker/dedicatedworker-report-only.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on dedicated workers in report-only mode
+-->
+<script>
+  let reportCookieName = location.pathname.split('/')[
+    location.pathname.split('/').length - 1].split('.')[0];
+  let reportID = document.cookie.split('; ')
+      .find(cookie => cookie.startsWith(reportCookieName + '='))
+      .split('=')[1].trim();
+
+  fetch_tests_from_worker(new Worker(
+    `./support/connect-src-self-report-only.sub.js?id=${reportID}`));
+</script>

content-security-policy/inside-worker/dedicatedworker-report-only.html.sub.headers

@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: dedicatedworker-report-only={{$id:uuid()}}; Path=/content-security-policy/inside-worker/
+Content-Security-Policy-Report-Only: connect-src 'self'; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}

content-security-policy/inside-worker/dedicatedworker-script-src.html

@@ -0,0 +1,58 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'script-src' directive on dedicated workers -->
+<script nonce="a">
+  let reportCookieName = location.pathname.split('/')[
+    location.pathname.split('/').length - 1].split('.')[0];
+  let reportID = document.cookie.split('; ')
+      .find(cookie => cookie.startsWith(reportCookieName + '='))
+      .split('=')[1].trim();
+
+  promise_test(async t => {
+    // Dedicated workers honor CSP received in their response headers.
+    await fetch_tests_from_worker(
+      new Worker(
+        `./support/script-src-self.sub.js?id=${reportID}` +
+          `&test-name=script-src 'self'` +
+          `&pipe=sub|header(Content-Security-Policy,` +
+          `script-src 'self' ; report-uri ` +
+          `/reporting/resources/report.py?op=put%26reportID=${reportID})`));
+
+
+    let blob = await fetch(`./support/script-src-self.sub.js?id=${reportID}` +
+                        `&test-name=script-src 'self'`)
+        .then(r => r.blob());
+
+    // 'blob:' URL workers inherit CSP.
+    let blob_url = URL.createObjectURL(blob);
+    await fetch_tests_from_worker(new Worker(blob_url));
+
+    if (window.webkitRequestFileSystem) {
+      // 'filesystem:' URL workers inherit CSP.
+      let fs = await new Promise(resolve =>
+        window.webkitRequestFileSystem(window.TEMPORARY, 1024*1024, resolve));
+
+      let fs_entry = await new Promise(resolve =>
+        fs.root.getFile('dedicated-inheritance-worker.js',
+                        { create: true }, resolve));
+
+      let writer = await new Promise(resolve => fs_entry.createWriter(resolve));
+
+      writer.onerror = t.unreached_func("Could not write to filesystem entry");
+
+      writer.write(blob);
+      await new Promise(resolve => writer.onwriteend = resolve);
+
+      let fs_url = fs_entry.toURL();
+      await fetch_tests_from_worker(new Worker(fs_url));
+    }
+
+    // Dedicated workers do not inherit CSP in general.
+    // We put this at the end since chrome is failing this at the moment, and
+    // this sends reports which would make the report checks in the other tests
+    // fail.
+    await fetch_tests_from_worker(
+      new Worker("./support/script-src-allow.sub.js"));
+  });
+</script>

content-security-policy/inside-worker/dedicatedworker-script-src.html.sub.headers

@@ -0,0 +1,6 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Set-Cookie: dedicatedworker-script-src={{$id:uuid()}}; Path=/content-security-policy/inside-worker/
+Content-Security-Policy: script-src 'self' 'nonce-a' blob: filesystem: ; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}

content-security-policy/inside-worker/serviceworker-connect-src.https.sub.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on service workers -->
+<meta http-equiv="content-security-policy" content="connect-src 'self'">
+<script>
+  [ // Service workers do not inherit CSP.
+    "./support/connect-src-allow.sub.js",
+
+    // Service workers honor CSP received in their response headers.
+    "./support/connect-src-self.sub.js?id={{$id1:uuid()}}" +
+      "&test-name=connect-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "connect-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id1}})",
+
+    // Also test that connect-src falls back to default-src.
+    "./support/connect-src-self.sub.js?id={{$id2:uuid()}}" +
+      "&test-name=default-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "default-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id2}})"]
+  .forEach(url => {
+    promise_test(async t => {
+      let r = await navigator.serviceWorker.register(
+        url, {scope: "./support/blank.html"});
+      t.add_cleanup(_ => r.unregister());
+      let sw = r.active || r.installing || r.waiting;
+      await fetch_tests_from_worker(sw);
+    });
+  });
+</script>

content-security-policy/inside-worker/serviceworker-report-only.https.sub.html

@@ -0,0 +1,15 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'connect-src' directive on service workers in report-only mode
+-->
+<script>
+  promise_test(async t => {
+    let r = await navigator.serviceWorker.register(
+      "./support/connect-src-self-report-only.sub.js?id={{uuid()}}",
+      {scope: "./support/blank.html"});
+    t.add_cleanup(_ => r.unregister());
+    let sw = r.active || r.installing || r.waiting;
+    await fetch_tests_from_worker(sw);
+  });
+</script>

content-security-policy/inside-worker/serviceworker-script-src.https.sub.html

@@ -0,0 +1,32 @@
+<!DOCTYPE html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<!-- Test the 'script-src' directive on service workers -->
+<meta http-equiv="content-security-policy" content="script-src 'self' 'nonce-a' blob: filesystem:">
+<script nonce="a">
+  [ // Service worker do not inherit CSP.
+    "./support/script-src-allow.sub.js",
+
+    // Service workers honor CSP received in their response headers.
+    "./support/script-src-self.sub.js?id={{$id1:uuid()}}" +
+      "&test-name=script-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "script-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id1}})",
+
+    // Also check that script-src falls back to default-src.
+    "./support/script-src-self.sub.js?id={{$id2:uuid()}}" +
+      "&test-name=default-src 'self'" +
+      "&pipe=sub|header(Content-Security-Policy," +
+      "default-src 'self' ; report-uri " +
+      "/reporting/resources/report.py?op=put%26reportID={{$id2}})"]
+  .forEach(url => {
+    promise_test(async t => {
+      let r = await navigator.serviceWorker.register(
+        url, {scope: "./support/blank.html"});
+      t.add_cleanup(_ => r.unregister());
+      let sw = r.active || r.installing || r.waiting;
+      await fetch_tests_from_worker(sw);
+    });
+  });
+</script>