third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html - Issue 1420483005: CSP: Don't perform NFC normalization prior to hashing

Side by Side Diff: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html

Issue 1420483005: CSP: Don't perform NFC normalization prior to hashing (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@nfc-frame

Patch Set: Flip normalization test, leave wtf/text alone Created 5 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

« no previous file with comments | « no previous file | third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization-expected.txt » ('j') | third_party/WebKit/Source/core/frame/csp/CSPDirectiveList.cpp » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 <!DOCTYPE html>	1 <!DOCTYPE html>

2 <html>	2 <html>

3 <head>	3 <head>

4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">	4 <meta http-equiv="Content-Type" content="text/html; charset=utf-8">

5 <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-zv7 3epHrGLk/k/onuSBPoZAxzaA=' 'sha1-gbGNUiHncUNJ+diPbIoc+x6KrLo='">	5 <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-zv7 3epHrGLk/k/onuSBPoZAxzaA=' 'sha256-U4Gr+1CJNHI/q8KjKw7YgdNNzwOinyKeRC4leoWXeMU=' ">

6 <script>	6 <script>

7 if (window.testRunner)	7 if (window.testRunner)

8 testRunner.dumpAsText();	8 testRunner.dumpAsText();

9 </script>	9 </script>

10 <!-- The following two scripts contain two separate code points (U+00C5	10 <!-- The following two scripts contain two separate code points (U+00C5

11 and U+212B, respectively) which, depending on your text editor, might be	11 and U+212B, respectively) which, depending on your text editor, might be

12 rendered the same. However, their difference is important as they should	12 rendered the same. However, their difference is important as they would

13 be NFC normalized to the same code point, thus they should hash to the	13 be NFC normalized to the same code point, matching the hash. Since NFC

14 same value.-->	14 normalization should not be performed, the second script should not

	15 match the hash and must not be executed. -->

15 <script>	16 <script>

16 'Å';	17 'Å';

17 alert('PASS');	18 alert('PASS (1/1)');
	jww 2015/10/29 21:22:14 Unfortunately, I don't think this tests what we ac Unfortunately, I don't think this tests what we actually want to verify. For the test to work, it should really be the same exact script except for the one code point we expect would be normalized in NFC normalization. I jumped through some hoops to test this in my new version of the web-platform-test: https://github.com/w3c/web-platform-tests/pull/2287 You might want to consider just copying that or, alternatively, I'm happy to copy that test over if you just want to delete this test in this CL. jsbell 2015/10/29 22:01:46 Oh, duh, thanks. Of course, they started off that Show quoted text On 2015/10/29 21:22:14, jww wrote: > Unfortunately, I don't think this tests what we actually want to verify. For the > test to work, it should really be the same exact script except for the one code > point we expect would be normalized in NFC normalization. Oh, duh, thanks. Of course, they started off that way, and then diverged when I tried to make the output more human-readable. What do you think about the approach in the latest PS? (Eventually we can just delete this in favor of the imported one...) Verified that the test fails in the expected way if the C++ change is backed out. jww 2015/10/29 22:06:46 Looks good! Show quoted text On 2015/10/29 22:01:46, jsbell wrote: > On 2015/10/29 21:22:14, jww wrote: > > Unfortunately, I don't think this tests what we actually want to verify. For > the > > test to work, it should really be the same exact script except for the one > code > > point we expect would be normalized in NFC normalization. > > Oh, duh, thanks. Of course, they started off that way, and then diverged when I > tried to make the output more human-readable. > > What do you think about the approach in the latest PS? (Eventually we can just > delete this in favor of the imported one...) Verified that the test fails in the > expected way if the C++ change is backed out. Looks good!
18 </script>	19 </script>

19 <script>	20 <script>

20 'Å';	21 'Å';

21 alert('PASS');	22 alert('FAIL');

22 </script>	23 </script>

23 </head>	24 </head>

24 <body>	25 <body>

25 <p>	26 <p>

26 This tests Unicode normalization. While appearing the same, the	27 This tests Unicode normalization. While appearing the same, the

27 strings in the scripts are different Unicode points, but through	28 strings in the scripts are different Unicode points. Unicode NFC

28 normalization, should be the same when the hash is taken.	29 normalization would make both match the hash, but normalization

	30 should not be performed, and so the second script should not run.

29 </p>	31 </p>

30 </body>	32 </body>

31 </html>	33 </html>

OLD	NEW