CSP: Use parsed policies for initializing Workers/Worklets

Workers/Worklet need to take into account Content Security Policies, which are sometimes inherited by the creating document and sometimes parsed from the HTTP headers directly. At the moment, we are storing and sending around the raw CSP policies. For example, when a Worker inherits the CSPs from the creating document, we send the raw strings, which were just parsed in the document, to the Worker, where they are parsed a second time. Not only this multiple parsing of the same policy is superfluous and can be avoided. It can also create inconsistencies (see the failing WP test content-security-policy/sandbox/meta-element.sub.html) This change replaces the raw policies with the parsed CSP types, avoids multiple parsing, and fixes that test. Bug: 1021462,1149272 Change-Id: Ib431253419226d6642a086923620b3aba34feb43 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2636314 Commit-Queue: Antonio Sartori <[email protected]> Reviewed-by: Mike West <[email protected]> Reviewed-by: Hiroki Nakagawa <[email protected]> Reviewed-by: Arthur Sonzogni <[email protected]> Cr-Commit-Position: refs/heads/master@{#848069}
web-platform-tests · Jan 28, 2021 · 9ff620b · 9ff620b
1 parent 9c4b786
commit 9ff620b
Showing 1 changed file with 28 additions and 0 deletions.
diff --git a/content-security-policy/script-src/worker-data-set-timeout.sub.html b/content-security-policy/script-src/worker-data-set-timeout.sub.html
@@ -0,0 +1,28 @@
+<!DOCTYPE html>
+<html>
+
+<head>
+    <!-- We add two CSP entries on purpose. The first one does nothing
+    for the purpose of this test, but we want to check that both are
+    inherited -->
+    <meta http-equiv="Content-Security-Policy" content="object-src: 'none'">
+    <meta http-equiv="Content-Security-Policy" content="script-src data: 'self' 'unsafe-inline'; connect-src 'self';">
+    <title>worker-data-set-timeout</title>
+    <script src="/resources/testharness.js"></script>
+    <script src="/resources/testharnessreport.js"></script>
+    <script src='../support/testharness-helper.js'></script>
+</head>
+
+<body>
+    <script>
+      fetch('./support/worker-with-script-src-none-set-timeout.js')
+       .then(data => data.text())
+       .then(
+           text => assert_shared_worker_is_loaded(
+               `data:text/javascript,${text}`,
+               "Shared worker with data: url inherits CSP",
+               "setTimeout blocked"));
+    </script>
+</body>
+
+</html>