Add test for policies with disposition=report in workers

[fred-wang]

Looking for "Content-Security-Policy-Report-Only", I can't find any test related to workers:

find -type f | xargs grep 'Content-Security-Policy-Report-Only'
./trusted-types-reporting.html.headers:Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php
./trusted-types-reporting-check-report.html.sub.headers:Content-Security-Policy-Report-Only: trusted-types one two; report-uri /reporting/resources/report.py?op=put&reportID={{$id}}
./trusted-types-eval-reporting-report-only.html:  //   Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
./trusted-types-report-only.html.headers:Content-Security-Policy-Report-Only: trusted-types two; report-uri /content-security-policy/resources/dummy-report.php; require-trusted-types-for 'script';
./trusted-types-duplicate-names-list-report-only.html.headers:Content-Security-Policy-Report-Only: trusted-types a b c
./support/navigation-report-only-support.html.headers:Content-Security-Policy-Report-Only: require-trusted-types-for 'script';
./trusted-types-report-only.html:  //   Content-Security-Policy-Report-Only: trusted-types ...; report-uri ...
./no-require-trusted-types-for-report-only.html.headers:Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
./trusted-types-reporting-check-report.html:  Content-Security-Policy-Report-Only: \
./empty-default-policy-report-only.html.headers:Content-Security-Policy-Report-Only: require-trusted-types-for 'script';
./require-trusted-types-for-report-only.html.headers:Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
./trusted-types-duplicate-names-list-report-only.html:// Content-Security-Policy-Report-Only: trusted-types a b c
./default-policy-report-only.html.headers:Content-Security-Policy-Report-Only: require-trusted-types-for 'script';
./trusted-types-eval-reporting-report-only.html.headers:Content-Security-Policy-Report-Only: require-trusted-types-for 'script'
./trusted-types-reporting.html:  //   Content-Security-Policy-Report-Only: trusted-types two; report-uri ...

This is used for the following algorithms:

• https://w3c.github.io/trusted-types/dist/spec/#does-sink-require-trusted-types (only when includeReportOnlyPolicies=false, which is needed for Add trusted-types-eval source expression for script-src webappsec-csp#665)
• https://w3c.github.io/trusted-types/dist/spec/#should-block-sink-type-mismatch
• https://w3c.github.io/trusted-types/dist/spec/#should-block-create-policy

[fred-wang]

cc @lukewarlow

[fred-wang]

We now have much more tests at trusted-types/should-trusted-type-policy-creation-be-blocked-by-csp-*.html ; but still they don't involve workers.

[annevk]

In case someone else was wondering: importScripts() is gated by Trusted Types.

[fred-wang]

In case someone else was wondering: importScripts() is gated by Trusted Types.

Right, a list of TT sinks can be found here: #494 (comment)

So the ones that can run in workers are:

• eval/new Function
• setTimeout/setInterval
• importScripts
• Worker's constructor (from DedicatedWorker/SharedWorker only)
• ServiceWorkerContainer's register

[fred-wang]

I believe @lukewarlow added complete sink coverage for disposition=enforce. I guess we need at least one case for Content-Security-Policy-Report-Only in worker (maybe eval and another one).