CSP: Don't perform NFC normalization prior to hashing

third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html

Index: third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html
diff --git a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html
index b8264b4112298f074664f2e051580d367f601864..96bb6c47ad8b933da10533bb19c3bc4cec5c2c3a 100644
--- a/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html
+++ b/third_party/WebKit/LayoutTests/http/tests/security/contentSecurityPolicy/1.1/scripthash-unicode-normalization.html
@@ -2,30 +2,32 @@
 <html>
     <head>
         <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
-        <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-zv73epHrGLk/k/onuSBPoZAxzaA=' 'sha1-gbGNUiHncUNJ+diPbIoc+x6KrLo='">
+        <meta http-equiv="Content-Security-Policy" content="script-src 'sha1-zv73epHrGLk/k/onuSBPoZAxzaA=' 'sha256-U4Gr+1CJNHI/q8KjKw7YgdNNzwOinyKeRC4leoWXeMU='">
         <script>
             if (window.testRunner)
                 testRunner.dumpAsText();
         </script>
         <!-- The following two scripts contain two separate code points (U+00C5
         and U+212B, respectively) which, depending on your text editor, might be
-        rendered the same. However, their difference is important as they should
-        be NFC normalized to the same code point, thus they should hash to the
-        same value.-->
+        rendered the same. However, their difference is important as they would
+        be NFC normalized to the same code point, matching the hash. Since NFC
+        normalization should not be performed, the second script should not
+        match the hash and must not be executed. -->
         <script>
             'Å';
-            alert('PASS');
+            alert('PASS (1/1)');

[jww, 2015/10/29 21:22:14]

Unfortunately, I don't think this tests what we actually want to verify. For the
test to work, it should really be the same exact script except for the one code
point we expect would be normalized in NFC normalization. I jumped through some
hoops to test this in my new version of the web-platform-test:
https://github.com/w3c/web-platform-tests/pull/2287

You might want to consider just copying that or, alternatively, I'm happy to
copy that test over if you just want to delete this test in this CL.

[jsbell, 2015/10/29 22:01:46]

Oh, duh, thanks. Of course, they started off that way, and then diverged when I
tried to make the output more human-readable.

What do you think about the approach in the latest PS? (Eventually we can just
delete this in favor of the imported one...) Verified that the test fails in the
expected way if the C++ change is backed out.

[jww, 2015/10/29 22:06:46]

Looks good!

         </script>
         <script>
             'Å';
-            alert('PASS');
+            alert('FAIL');
         </script>
     </head>
     <body>
         <p>
             This tests Unicode normalization. While appearing the same, the
-            strings in the scripts are different Unicode points, but through
-            normalization, should be the same when the hash is taken.
+            strings in the scripts are different Unicode points. Unicode NFC
+            normalization would make both match the hash, but normalization
+            should not be performed, and so the second script should not run.
         </p>
     </body>
 </html>