RESOLVED FIXED 165870
Add a few Worker loading tests that don't seem to be explicitly handled 
https://bugs.webkit.org/show_bug.cgi?id=165870
Summary Add a few Worker loading tests that don't seem to be explicitly handled
Joseph Pecoraro
Reported 2016-12-14 14:37:46 PST
Summary: Add a few Worker loading tests that don't seem to be explicitly handled. Ensuring Worker loads are same-origin even on redirects. The HTML Spec currently defines `new Worker(...)` loads are "same-origin" only: https://html.spec.whatwg.org/multipage/webappapis.html#fetch-a-classic-worker-script > 1. Let request be a new request whose url is url, client is fetch client settings object, > type is "script", destination is destination, mode is "same-origin", credentials mode is > "same-origin", parser metadata is "not parser-inserted", and whose use-URL-credentials > flag is set.
Attachments
[PATCH] Proposed Fix (7.52 KB, patch)
2016-12-14 14:39 PST, Joseph Pecoraro 		dbates: review+
DetailsFormatted DiffDiff
[PATCH] For Landing (7.13 KB, patch)
2016-12-16 10:51 PST, Joseph Pecoraro 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Joseph Pecoraro
Comment 1 2016-12-14 14:39:47 PST
Created attachment 297127 [details] [PATCH] Proposed Fix
Daniel Bates
Comment 2 2016-12-14 17:29:28 PST
Comment on attachment 297127 [details] [PATCH] Proposed Fix View in context: https://bugs.webkit.org/attachment.cgi?id=297127&action=review > LayoutTests/http/tests/security/worker-same-origin.html:5 > +<!DOCTYPE html> > +<html> > +<head> > +<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000"> > +<script src="/js-test-resources/js-test-pre.js"></script> As far as I can tell the purpose of this test is the same as the purpose of LayoutTests/http/tests/security/contentSecurityPolicy/worker-redirect-allowed.html. Can you elaborate on your intention for this test?
Joseph Pecoraro
Comment 3 2016-12-16 10:42:01 PST
(In reply to comment #2) > Comment on attachment 297127 [details] > [PATCH] Proposed Fix > > View in context: > https://bugs.webkit.org/attachment.cgi?id=297127&action=review > > > LayoutTests/http/tests/security/worker-same-origin.html:5 > > +<!DOCTYPE html> > > +<html> > > +<head> > > +<meta http-equiv="Content-Security-Policy" content="child-src http://127.0.0.1:8000/resources/redirect.php http://localhost:8000"> > > +<script src="/js-test-resources/js-test-pre.js"></script> > > As far as I can tell the purpose of this test is the same as the purpose of > LayoutTests/http/tests/security/contentSecurityPolicy/worker-redirect- > allowed.html. Can you elaborate on your intention for this test? worker-same-origin and worker-cross-origin have a broad CSP and show that redirects are only allowed for same origin and rejected for cross origin regardless of what the CSP allows. I could eliminate the CSP from these tests and they would be equally valid, so I'm going to go ahead and do that. worker-redirect-allowed tests the CSP redirect handling. In this case it allows a worker script on the same origin as an allowed child-src directive despite the path being different.
Joseph Pecoraro
Comment 4 2016-12-16 10:49:36 PST
> worker-same-origin and worker-cross-origin have a broad CSP and show that > redirects are only allowed for same origin and rejected for cross origin > regardless of what the CSP allows. I could eliminate the CSP from these > tests and they would be equally valid, so I'm going to go ahead and do that. It looks like these are effectively covered by an existing test: LayoutTests/http/tests/workers/worker-redirect.html I still think it is worth these simple tests that test an individual case as simply as possible.
Joseph Pecoraro
Comment 5 2016-12-16 10:51:59 PST
Created attachment 297327 [details] [PATCH] For Landing
WebKit Commit Bot
Comment 6 2016-12-19 12:29:28 PST
Comment on attachment 297327 [details] [PATCH] For Landing Clearing flags on attachment: 297327 Committed r209993: <http://trac.webkit.org/changeset/209993>
Note You need to log in before you can comment on or make changes to this bug.