Currently, we have almost no tests for CSP support in worklet implementation. We should add them. Relevant spec PR: https://github.com/w3c/webappsec-csp/pull/205
For reference: - "worklet-src directive needed for worklets?" (w3c/webappsec-csp) https://github.com/w3c/webappsec-csp/issues/203 => use "script-src" for worklets for now.
A CL to add tests for CSP directives on addModule() is now under review: https://chromium-review.googlesource.com/c/chromium/src/+/763169
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/42ef93fce2a7b02ea10c1683226b908cd651a0ce commit 42ef93fce2a7b02ea10c1683226b908cd651a0ce Author: Hiroki Nakagawa <nhiroki@chromium.org> Date: Wed Nov 15 03:05:38 2017 Worklet: Add tests for CSP directives on addModule() Worklet module fetch should obey the script-src directives, not the worker-src directives. This CL adds WPT tests for that. Spec discussion: https://github.com/w3c/webappsec-csp/issues/203 Bug: 773786 Change-Id: I3b8ac7abfa0920e3b93a18b726e87871c62f8f3f Reviewed-on: https://chromium-review.googlesource.com/763169 Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Reviewed-by: Kouhei Ueno <kouhei@chromium.org> Reviewed-by: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/master@{#516576} [add] https://crrev.com/42ef93fce2a7b02ea10c1683226b908cd651a0ce/third_party/WebKit/LayoutTests/external/wpt/worklets/animation-worklet-csp.https.html [add] https://crrev.com/42ef93fce2a7b02ea10c1683226b908cd651a0ce/third_party/WebKit/LayoutTests/external/wpt/worklets/paint-worklet-csp.https.html [add] https://crrev.com/42ef93fce2a7b02ea10c1683226b908cd651a0ce/third_party/WebKit/LayoutTests/external/wpt/worklets/resources/csp-tests.js [add] https://crrev.com/42ef93fce2a7b02ea10c1683226b908cd651a0ce/third_party/WebKit/LayoutTests/external/wpt/worklets/resources/import-empty-worklet-script.js [add] https://crrev.com/42ef93fce2a7b02ea10c1683226b908cd651a0ce/third_party/WebKit/LayoutTests/external/wpt/worklets/resources/import-remote-origin-empty-worklet-script.sub.js
Another CL is now under review: "Worklet: Set Content-Security-Policy headers in WorkletGlobalScope" https://chromium-review.googlesource.com/c/chromium/src/+/771051 A remaining work is to test mixed-contents.
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ddc8598e203e473eb87116fe87d4e4281dcec5b6 commit ddc8598e203e473eb87116fe87d4e4281dcec5b6 Author: Hiroki Nakagawa <nhiroki@chromium.org> Date: Fri Dec 01 02:21:24 2017 Worklet: Make "unsafe-eval" CSP directive available for worklets "unsafe-eval" CSP directive is enabled in WorkerOrWorkletScriptController::Evaluate(). This function is called for classic script evaluation, not for module script evaluation that worklets depend on. This means the current implementation doesn't work for worklets. To enable the directive for worklets, this CL moves the part from Evaluate() to InitializeContextIfNeeded() that is supposed to be called for both classic and module script evaluation. This CL also fixes ExecutionContext handling in CodeGenerationCheckCallbackInMainThread(). This path is called not only from Document but also from PaintWorklet. This change is tested for workers by existing CSP tests, and will be tested for worklets by tests to be added by a following change: https://chromium-review.googlesource.com/c/chromium/src/+/771051 Bug: 773786 Change-Id: I29232a4297b2f4819f1fe28f3230fc7ea4f769f6 Reviewed-on: https://chromium-review.googlesource.com/799654 Reviewed-by: Kentaro Hara <haraken@chromium.org> Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#520806} [modify] https://crrev.com/ddc8598e203e473eb87116fe87d4e4281dcec5b6/third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp [modify] https://crrev.com/ddc8598e203e473eb87116fe87d4e4281dcec5b6/third_party/WebKit/Source/bindings/core/v8/WorkerOrWorkletScriptController.cpp
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7a42f3112496150293df1c022f176ce615898c70 commit 7a42f3112496150293df1c022f176ce615898c70 Author: Hiroki Nakagawa <nhiroki@chromium.org> Date: Thu Dec 07 23:30:17 2017 Worklet: Set Content-Security-Policy headers in WorkletGlobalScope This CL sets Content-Security-Policy headers in WorkletGlobalScope. WorkletGlobalScope inherits the owner document's headers as the spec: https://drafts.css-houdini.org/worklets/#creating-a-workletglobalscope This CL also adds tests for 'unsafe-eval' CSP directive on WorkletGlobalScope. Worklets don't have communication mechanism to the owner Document, so the tests confirm the results using console outputs as a workaround. This is the reason why this CL puts tests in http/tests/worklet/, not in external/wpt/worklets/. Bug: 773786 Change-Id: Ic6ebf3eb5dfd2baae56630415ff40589a362735a Reviewed-on: https://chromium-review.googlesource.com/771051 Reviewed-by: Mike West <mkwst@chromium.org> Reviewed-by: Kinuko Yasuda <kinuko@chromium.org> Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#522609} [add] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/LayoutTests/http/tests/worklet/animation-worklet-csp-eval-expected.txt [add] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/LayoutTests/http/tests/worklet/animation-worklet-csp-eval.html [add] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/LayoutTests/http/tests/worklet/paint-worklet-csp-eval-expected.txt [add] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/LayoutTests/http/tests/worklet/paint-worklet-csp-eval.html [add] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/LayoutTests/http/tests/worklet/resources/addmodule-window-with-unsafe-eval.html [add] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/LayoutTests/http/tests/worklet/resources/addmodule-window.html [add] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/LayoutTests/http/tests/worklet/resources/csp-eval-tests.js [add] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/LayoutTests/http/tests/worklet/resources/eval-worklet-script.js [add] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/LayoutTests/http/tests/worklet/resources/worklet-test-utils.js [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/core/frame/csp/ContentSecurityPolicy.cpp [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/core/workers/MainThreadWorkletTest.cpp [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/core/workers/ThreadedWorkletTest.cpp [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/core/workers/WorkerGlobalScope.cpp [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/core/workers/WorkerGlobalScope.h [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/core/workers/WorkerOrWorkletGlobalScope.cpp [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/core/workers/WorkerOrWorkletGlobalScope.h [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/core/workers/WorkletGlobalScope.cpp [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/core/workers/WorkletGlobalScope.h [modify] https://crrev.com/7a42f3112496150293df1c022f176ce615898c70/third_party/WebKit/Source/modules/csspaint/PaintWorkletGlobalScopeProxy.cpp
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ca01c263f4f460780c05a2441d8e5ca298b8772e commit ca01c263f4f460780c05a2441d8e5ca298b8772e Author: Hiroki Nakagawa <nhiroki@chromium.org> Date: Wed Dec 13 22:05:01 2017 Worklet: Add tests for 'upgrade-insecure-requests' CSP directive Bug: 773786 Change-Id: I3adeee81922031e9f2a713027215ab5d08a3e585 Reviewed-on: https://chromium-review.googlesource.com/816275 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Hiroki Nakagawa <nhiroki@chromium.org> Cr-Commit-Position: refs/heads/master@{#523900} [modify] https://crrev.com/ca01c263f4f460780c05a2441d8e5ca298b8772e/third_party/WebKit/LayoutTests/external/wpt/worklets/resources/csp-tests.js [add] https://crrev.com/ca01c263f4f460780c05a2441d8e5ca298b8772e/third_party/WebKit/LayoutTests/external/wpt/worklets/resources/import-insecure-origin-empty-worklet-script.sub.js
Comment 1 by nhiroki@chromium.org
, Oct 11 2017