Add tests for location of sink mismatch violation in workers.

Differential Revision: https://phabricator.services.mozilla.com/D243067

bugzilla-url: https://bugzilla.mozilla.org/show_bug.cgi?id=1956424
gecko-commit: 62e51640e81489440a4c6caafe5ec7fe97005987
gecko-reviewers: smaug

Author: fred-wang

lint.ignore

@@ -287,7 +287,8 @@ SET TIMEOUT: shadow-dom/scroll-to-the-fragment-in-shadow-tree.html
 SET TIMEOUT: shadow-dom/slotchange-event.html
 SET TIMEOUT: trusted-types/support/block-string-assignment-to-DOMWindowTimers-setTimeout-setInterval.js
 SET TIMEOUT: trusted-types/support/DOMWindowTimers-setTimeout-setInterval.js
-SET TIMEOUT: trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker.js
+SET TIMEOUT: trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-multiple-violations.js
+SET TIMEOUT: trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-location.js
 SET TIMEOUT: trusted-types/support/trusted-types-reporting-check-report-sink-mismatch.js
 SET TIMEOUT: trusted-types/support/trusted-types-reporting-for-DOMWindowTimers-setTimeout-setInterval.js
 SET TIMEOUT: user-timing/*

trusted-types/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker.html

@@ -4,7 +4,16 @@
 <script src="/resources/testharness.js"></script>
 <script src="/resources/testharnessreport.js"></script>
 <script>
-  fetch_tests_from_worker(new Worker(
-    "support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker.js"
-  ));
+  // WebKit test runner assumes the tests always run in the same order, so make
+  // sure fetch_tests_from_worker tests run sequentially.
+  setup({explicit_done: true});
+  (async function() {
+    await fetch_tests_from_worker(new Worker(
+      "support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-multiple-violations.js"
+    ));
+    await fetch_tests_from_worker(new Worker(
+      "support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-location.js"
+    ));
+    done();
+  })();
 </script>

trusted-types/should-sink-type-mismatch-violation-be-blocked-by-csp-003.html

@@ -0,0 +1,7 @@
+<!DOCTYPE html>
+<meta charset="UTF-8">
+<meta name="timeout" content="long">
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="./support/csp-violations.js"></script>
+<script src="./support/should-sink-type-mismatch-violation-be-blocked-by-csp-location.js"></script>

trusted-types/should-sink-type-mismatch-violation-be-blocked-by-csp-003.html.headers

@@ -0,0 +1,2 @@
+Content-Security-Policy: connect-src 'none'
+Content-Security-Policy: require-trusted-types-for 'script'

trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-location.js

@@ -0,0 +1,12 @@
+const testSetupPolicy = trustedTypes.createPolicy("testSetupPolicy", {
+  createScriptURL: s => s });
+
+importScripts(testSetupPolicy.createScriptURL("/resources/testharness.js"));
+importScripts(testSetupPolicy.createScriptURL("csp-violations.js"));
+
+// For CSP applying to this file, please refer to
+// should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-location.js.headers
+
+importScripts(testSetupPolicy.createScriptURL("should-sink-type-mismatch-violation-be-blocked-by-csp-location.js"));
+
+done();

trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-location.js.headers

@@ -0,0 +1,2 @@
+Content-Security-Policy: connect-src 'none'
+Content-Security-Policy: require-trusted-types-for 'script'

…iolation-be-blocked-by-csp-002-worker.js …by-csp-002-worker-multiple-violations.jstrusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker.js renamed to trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-multiple-violations.js trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker.js renamed to trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-multiple-violations.js

@@ -5,10 +5,10 @@ importScripts(testSetupPolicy.createScriptURL("/resources/testharness.js"));
 importScripts(testSetupPolicy.createScriptURL("csp-violations.js"));
 
 // For CSP applying to this file, please refer to
-// should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker.js.headers
+// should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-multiple-violations.js.headers
 
 promise_test(async () => {
-  let {violations, exception} = await trusted_type_violations_and_exception_for(_ => setTimeout("unsafe"));
+  let {violations, exception} = await trusted_type_violations_and_exception_for(_ => setTimeout(";;;;;"));
 
   // An exception is thrown for the violated enforced policies.
   assert_true(exception instanceof TypeError, "TypeError is thrown");
@@ -30,6 +30,6 @@ promise_test(async () => {
   assert_equals(sorted_violations[4].disposition, "report");
   assert_equals(sorted_violations[5].policy, "require-trusted-types-for 'invalid' 'script'");
   assert_equals(sorted_violations[5].disposition, "report");
-}, "Checking reported violations for setTimeout('unsafe') from DedicatedWorker");
+}, "Checking reported violations for setTimeout(';;;;;') from DedicatedWorker");
 
 done();

…-be-blocked-by-csp-002-worker.js.headers …02-worker-multiple-violations.js.headerstrusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker.js.headers renamed to trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-multiple-violations.js.headers trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker.js.headers renamed to trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-002-worker-multiple-violations.js.headers

@@ -0,0 +1,21 @@
+function passPlainStringToTrustedTypeSink() {       // 1
+  return trusted_type_violation_for(TypeError, _ => // 2
+    setTimeout    (";;;;;;;;;;;;;;;;;;;;;;;;;;;;;") //_3
+/*  |
+12345678901234567890
+*/
+  );
+}
+
+promise_test(async () => {
+  let violation = await passPlainStringToTrustedTypeSink();
+  let baseURL = (new URL(location.href)).origin;
+  let sourceFile = new URL("/trusted-types/support/should-sink-type-mismatch-violation-be-blocked-by-csp-location.js", baseURL).toString();
+  assert_equals(violation.sourceFile, sourceFile, "source file");
+  assert_equals(violation.lineNumber, 3, "line number");
+  // https://w3c.github.io/webappsec-csp/#create-violation-for-global does not
+  // say how to determine the location and browsers provide inconsistent values
+  // for column number, so just check it's at least the offset of the 's'
+  // character of setTimeout.
+  assert_greater_than_equal(violation.columnNumber, 5, "column number");
+} , `Location of required-trusted-types-for violations.`);