Script modules should be able to import data urls

https://bugs.webkit.org/show_bug.cgi?id=171594

Reviewed by Youenn Fablet.

LayoutTests/imported/w3c:

* web-platform-tests/html/semantics/scripting-1/the-script-element/data-url-expected.txt:
* web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-data-url-expected.txt:
* web-platform-tests/html/webappapis/scripting/processing-model-2/runtime-error-data-url-expected.txt:

Source/WebCore:

Tests: js/dom/classic-script-with-data-url.html
       js/dom/modules/module-script-with-data-url.html

Script tag resources should have SameOriginDataURLFlag::Set to load data URLs
since script tags should treat data URLs as same origin.

* bindings/js/CachedScriptFetcher.cpp:
(WebCore::CachedScriptFetcher::requestScriptWithCache):

LayoutTests:

* http/tests/security/script-with-dataurl-expected.txt:
* http/tests/security/script-with-dataurl.html:
Now, the spec is changed and errors from data: scripts should not be muted.
whatwg/html#1778

* js/dom/classic-script-with-data-url-expected.txt: Added.
* js/dom/classic-script-with-data-url.html: Added.
* js/dom/modules/module-script-with-data-url-expected.txt: Added.
* js/dom/modules/module-script-with-data-url.html: Added.


git-svn-id: http://svn.webkit.org/repository/webkit/trunk@217760 268f45cc-cd09-0410-ab3c-d52691b4dbfc

LayoutTests/ChangeLog

@@ -1,3 +1,20 @@
+2017-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Script modules should be able to import data urls
+        https://bugs.webkit.org/show_bug.cgi?id=171594
+
+        Reviewed by Youenn Fablet.
+
+        * http/tests/security/script-with-dataurl-expected.txt:
+        * http/tests/security/script-with-dataurl.html:
+        Now, the spec is changed and errors from data: scripts should not be muted.
+        https://github.com/whatwg/html/issues/1778
+
+        * js/dom/classic-script-with-data-url-expected.txt: Added.
+        * js/dom/classic-script-with-data-url.html: Added.
+        * js/dom/modules/module-script-with-data-url-expected.txt: Added.
+        * js/dom/modules/module-script-with-data-url.html: Added.
+
 2017-06-03  Jonathan Bedard  <jbedard@apple.com>
 
         Move css3/flexbox/image-percent-max-height.html failure expectation.

LayoutTests/http/tests/security/script-with-dataurl-expected.txt

@@ -1,10 +1,10 @@
 CONSOLE MESSAGE: line 1: PASS: my data URL in no-cors mode is throwing rich messages
-CONSOLE MESSAGE: Origin http://127.0.0.1:8000 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: line 1: PASS: my error is rich
 Trying to load data URLs scripts. If being loaded, the scripts should throw error messages.
 
-Received error 'Script error.' from '', location 0:0.
+Received error 'PASS: my data URL in no-cors mode is throwing rich messages' from 'data:text/script, throw 'PASS: my data URL in no-cors mode is throwing rich messages';', location 1:69.
 PASS: loaded script in no-cors mode
-PASS: did not load script in cors mode
+Received error 'PASS: my error is rich' from 'data:text/script, throw 'PASS: my error is rich';', location 1:32.
+PASS: loaded script in cors mode
 DONE
 

LayoutTests/http/tests/security/script-with-dataurl.html

@@ -35,9 +35,9 @@
 {
     var script = document.createElement("script");
     script.crossOrigin = "";
-    script.src = "data:text/script, throw 'FAIL: my error is too rich!'";
-    script.onload = () => { log("FAIL: loaded script in cors mode"); done(); }
-    script.onerror = () => { log("PASS: did not load script in cors mode"); done(); }
+    script.src = "data:text/script, throw 'PASS: my error is rich';";
+    script.onload = () => { log("PASS: loaded script in cors mode"); done(); }
+    script.onerror = () => { log("FAIL: did not load script in cors mode"); done(); }
     document.body.appendChild(script);
 }
 

LayoutTests/imported/w3c/ChangeLog

@@ -1,3 +1,14 @@
+2017-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Script modules should be able to import data urls
+        https://bugs.webkit.org/show_bug.cgi?id=171594
+
+        Reviewed by Youenn Fablet.
+
+        * web-platform-tests/html/semantics/scripting-1/the-script-element/data-url-expected.txt:
+        * web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-data-url-expected.txt:
+        * web-platform-tests/html/webappapis/scripting/processing-model-2/runtime-error-data-url-expected.txt:
+
 2017-06-02  Javier Fernandez  <jfernandez@igalia.com>
 
         [css-grid] Margin wrong applied when stretching an orthogonal item in fixed size track

LayoutTests/imported/w3c/web-platform-tests/html/semantics/scripting-1/the-script-element/data-url-expected.txt

@@ -1,8 +1,6 @@
 CONSOLE MESSAGE: line 1: 1
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
-CONSOLE MESSAGE: Origin http://localhost:8800 is not allowed by Access-Control-Allow-Origin.
-CONSOLE MESSAGE: Cross-origin script load denied by Cross-Origin Resource Sharing policy.
+CONSOLE MESSAGE: line 1: 2
+CONSOLE MESSAGE: line 1: 3
 
-FAIL Test data URL and scripts errors assert_not_equals: got disallowed value "Script error."
+PASS Test data URL and scripts errors 
 

LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/compile-error-data-url-expected.txt

@@ -1,5 +1,5 @@
 CONSOLE MESSAGE: line 1: SyntaxError: Unexpected token ')'
 
-FAIL window.onerror - compile error in <script src=data:...> assert_equals: second arg expected "data:text/javascript,for(;){}" but got ""
+PASS window.onerror - compile error in <script src=data:...> 
 PASS window.onerror - compile error in <script src=data:...> (column) 
 

LayoutTests/imported/w3c/web-platform-tests/html/webappapis/scripting/processing-model-2/runtime-error-data-url-expected.txt

@@ -1,5 +1,5 @@
 CONSOLE MESSAGE: line 1: ReferenceError: Can't find variable: undefined_variable
 
-FAIL window.onerror - runtime error in <script src=data:...> assert_equals: second arg expected "data:text/javascript,undefined_variable;" but got ""
+PASS window.onerror - runtime error in <script src=data:...> 
 PASS window.onerror - runtime error in <script src=data:...> (column) 
 

LayoutTests/js/dom/classic-script-with-data-url-expected.txt

@@ -0,0 +1,3 @@
+
+PASS Classic script tags with crossorigin attribute must load data URLs 
+

LayoutTests/js/dom/classic-script-with-data-url.html

@@ -0,0 +1,22 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Classic script tags with crossorigin attribute must load data URLs</title>
+<script src="../../resources/testharness.js"></script>
+<script src="../../resources/testharnessreport.js"></script>
+</head>
+<body>
+<script src="data:application/javascript;charset=utf-8,window.noCrossOrigin%20%3D%20true%3B"></script>
+<script crossorigin="anonymous" src="data:application/javascript;charset=utf-8,window.anonymous%20%3D%20true%3B"></script>
+<script crossorigin="use-credentials" src="data:application/javascript;charset=utf-8,window.credentials%20%3D%20true%3B"></script>
+<script>
+
+test(() => {
+    assert_equals(window.noCrossOrigin, true);
+    assert_equals(window.anonymous, true);
+    assert_equals(window.credentials, true);
+}, 'Classic script tags with crossorigin attribute must load data URLs');
+
+</script>
+</body>
+</html>

LayoutTests/js/dom/modules/module-script-with-data-url-expected.txt

@@ -0,0 +1,3 @@
+
+PASS Module script tags with crossorigin attribute must load data URLs 
+

LayoutTests/js/dom/modules/module-script-with-data-url.html

@@ -0,0 +1,39 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Module script tags with crossorigin attribute must load data URLs</title>
+<script src="../../../resources/testharness.js"></script>
+<script src="../../../resources/testharnessreport.js"></script>
+</head>
+<body>
+<script type="module" src="data:application/javascript;charset=utf-8,window.noCrossOrigin%20%3D%20true%3B"></script>
+<script type="module" crossorigin="anonymous" src="data:application/javascript;charset=utf-8,window.anonymous%20%3D%20true%3B"></script>
+<script type="module" crossorigin="use-credentials" src="data:application/javascript;charset=utf-8,window.credentials%20%3D%20true%3B"></script>
+<script type="module">
+import "data:application/javascript;charset=utf-8,window.noCrossOriginImport%20%3D%20true%3B";
+</script>
+<script type="module" crossorigin="anonymous">
+import "data:application/javascript;charset=utf-8,window.anonymousImport%20%3D%20true%3B";
+</script>
+<script type="module" crossorigin="use-credentials">
+import "data:application/javascript;charset=utf-8,window.credentialsImport%20%3D%20true%3B";
+</script>
+<script>
+waitForLoadEvent = new Promise((resolve) => {
+    window.onload = resolve;
+});
+
+promise_test(() => {
+    return waitForLoadEvent.then(() => {
+        assert_equals(window.noCrossOrigin, true);
+        assert_equals(window.anonymous, true);
+        assert_equals(window.credentials, true);
+        assert_equals(window.noCrossOriginImport, true);
+        assert_equals(window.anonymousImport, true);
+        assert_equals(window.credentialsImport, true);
+    });
+}, 'Module script tags with crossorigin attribute must load data URLs');
+
+</script>
+</body>
+</html>

Source/WebCore/ChangeLog

@@ -1,3 +1,19 @@
+2017-06-03  Yusuke Suzuki  <utatane.tea@gmail.com>
+
+        Script modules should be able to import data urls
+        https://bugs.webkit.org/show_bug.cgi?id=171594
+
+        Reviewed by Youenn Fablet.
+
+        Tests: js/dom/classic-script-with-data-url.html
+               js/dom/modules/module-script-with-data-url.html
+
+        Script tag resources should have SameOriginDataURLFlag::Set to load data URLs
+        since script tags should treat data URLs as same origin.
+
+        * bindings/js/CachedScriptFetcher.cpp:
+        (WebCore::CachedScriptFetcher::requestScriptWithCache):
+
 2017-06-03  Simon Fraser  <simon.fraser@apple.com>
 
         Sort the project file.

Source/WebCore/bindings/js/CachedScriptFetcher.cpp

@@ -53,6 +53,7 @@ CachedResourceHandle<CachedScript> CachedScriptFetcher::requestScriptWithCache(D
     bool hasKnownNonce = document.contentSecurityPolicy()->allowScriptWithNonce(m_nonce, m_isInUserAgentShadowTree);
     ResourceLoaderOptions options = CachedResourceLoader::defaultCachedResourceOptions();
     options.contentSecurityPolicyImposition = hasKnownNonce ? ContentSecurityPolicyImposition::SkipPolicyCheck : ContentSecurityPolicyImposition::DoPolicyCheck;
+    options.sameOriginDataURLFlag = SameOriginDataURLFlag::Set;
 
     CachedResourceRequest request(ResourceRequest(sourceURL), options);
     request.setAsPotentiallyCrossOrigin(crossOriginMode, document);