Summary: Add a few Worker loading tests that don't seem to be explicitly handled. Ensuring Worker loads are same-origin even on redirects. The HTML Spec currently defines `new Worker(...)` loads are "same-origin" only: https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-script > 1. Let request be a new request whose url is url, client is fetch client settings object, > type is "script", destination is destination, mode is "same-origin", credentials mode is > "same-origin", parser metadata is "not parser-inserted", and whose use-URL-credentials > flag is set.
Created attachment 297127 [details] [PATCH] Proposed Fix
Comment on attachment 297127 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=297127&action=review > LayoutTests/http/tests/security/worker-same-origin.html:5 > +<!DOCTYPE html> > +<html> > +<head> > +<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000"> > +<script src="/js-test-resources/js-test-pre.js"></script> As far as I can tell the purpose of this test is the same as the purpose of LayoutTests/http/tests/security/contentSecurityPolicy/worker-redirect-allowed.html. Can you elaborate on your intention for this test?
(In reply to comment #2) > Comment on attachment 297127 [details] > [PATCH] Proposed Fix > > View in context: > https://bugs.webkit.org/attachment.cgi?id=297127&action=review > > > LayoutTests/http/tests/security/worker-same-origin.html:5 > > +<!DOCTYPE html> > > +<html> > > +<head> > > +<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000"> > > +<script src="/js-test-resources/js-test-pre.js"></script> > > As far as I can tell the purpose of this test is the same as the purpose of > LayoutTests/http/tests/security/contentSecurityPolicy/worker-redirect- > allowed.html. Can you elaborate on your intention for this test? worker-same-origin and worker-cross-origin have a broad CSP and show that redirects are only allowed for same origin and rejected for cross origin regardless of what the CSP allows. I could eliminate the CSP from these tests and they would be equally valid, so I'm going to go ahead and do that. worker-redirect-allowed tests the CSP redirect handling. In this case it allows a worker script on the same origin as an allowed child-src directive despite the path being different.
> worker-same-origin and worker-cross-origin have a broad CSP and show that > redirects are only allowed for same origin and rejected for cross origin > regardless of what the CSP allows. I could eliminate the CSP from these > tests and they would be equally valid, so I'm going to go ahead and do that. It looks like these are effectively covered by an existing test: LayoutTests/http/tests/workers/worker-redirect.html I still think it is worth these simple tests that test an individual case as simply as possible.
Created attachment 297327 [details] [PATCH] For Landing
Comment on attachment 297327 [details] [PATCH] For Landing Clearing flags on attachment: 297327 Committed r209993: <http://trac.webkit.org/changeset/209993>