Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(61)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: third_party/WebKit/LayoutTests/external/wpt/subresource-integrity/subresource-integrity.sub.html

Issue 2697453005: Import wpt@758b3b4cfa805067f36121333ba031e583d3a62c (Closed)
Patch Set: Add -expected.txt files. Created 3 years, 10 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/subresource-integrity/style.css ('k') | third_party/WebKit/LayoutTests/external/wpt/web-animations/animation-model/animation-types/addition-per-property.html » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 <!DOCTYPE html>
2 <meta charset=utf-8>
3 <title>Subresource Integrity</title>
4 <script src="/resources/testharness.js"></script>
5 <script src="/resources/testharnessreport.js"></script>
6
7 <div id="log"></div>
8
9 <div id="container"></div>
10 <script>
11 // This horrible hack is needed for the 'use-credentials' tests because, on
12 // response, if port 80 or 443 is the current port, it will not appear to
13 // the browser as part of the origin string. Since the origin *string* is
14 // used for CORS access control, instead of the origin itself, if there
15 // isn't an exact string match, the check will fail. For example,
16 // "http://example.com" would not match "http://example.com:80", because
17 // they are not exact string matches, even though the origins are the same.
18 //
19 // Thus, we only want the Access-Control-Allow-Origin header to have
20 // the port if it's not port 80 or 443, since the user agent will elide the
21 // ports in those cases.
22 var main_domain = "{{domains[]}}";
23 var www_domain = "{{domains[www]}}";
24 var default_port = "{{ports[http][0]}}";
25 if (location.protocol === "https:") {
26 default_port = "{{ports[https][0]}}";
27 }
28
29 var port_string = "";
30 if (default_port !== "80" && default_port !== "443")
31 port_string = ":" + default_port;
32
33 www_host_and_port = www_domain + port_string;
34
35 // <script> tests
36 var xorigin_anon_script = location.protocol
37 + '//' + www_host_and_port
38 + '/subresource-integrity/crossorigin-anon-script.js';
39
40 var xorigin_creds_script = location.protocol
41 + '//' + www_host_and_port
42 + '/subresource-integrity/crossorigin-creds-script.js?acao_port='
43 + port_string;
44
45 var xorigin_ineligible_script = location.protocol
46 + '//' + www_host_and_port
47 + '/subresource-integrity/crossorigin-ineligible-script.js';
48
49 var SRIScriptTest = function(pass, name, src, integrityValue, crossoriginVal ue) {
50 this.pass = pass;
51 this.name = "Script: " + name;
52 this.src = src;
53 this.integrityValue = integrityValue;
54 this.crossoriginValue = crossoriginValue;
55 }
56
57 SRIScriptTest.prototype.execute = function() {
58 var test = async_test(this.name);
59 var e = document.createElement("script");
60 e.src = this.src;
61 e.setAttribute("integrity", this.integrityValue);
62 if(this.crossoriginValue) {
63 e.setAttribute("crossorigin", this.crossoriginValue);
64 }
65 if(this.pass) {
66 e.addEventListener("load", function() {test.done()});
67 e.addEventListener("error", function() {
68 test.step(function(){ assert_unreached("Good load fired error ha ndler.") })
69 });
70 } else {
71 e.addEventListener("load", function() {
72 test.step(function() { assert_unreached("Bad load succeeded.") } )
73 });
74 e.addEventListener("error", function() {test.done()});
75 }
76 document.body.appendChild(e);
77 };
78
79 // Note that all of these style URLs have query parameters started, so any
80 // additional parameters should be appended starting with '&'.
81 var xorigin_anon_style = location.protocol
82 + '//' + www_host_and_port
83 + '/subresource-integrity/crossorigin-anon-style.css?';
84
85 var xorigin_creds_style = location.protocol
86 + '//' + www_host_and_port
87 + '/subresource-integrity/crossorigin-creds-style.css?acao_port='
88 + port_string;
89
90 var xorigin_ineligible_style = location.protocol
91 + '//' + www_host_and_port
92 + '/subresource-integrity/crossorigin-ineligible-style.css?';
93
94 // <link> tests
95 // Style tests must be done synchronously because they rely on the presence
96 // and absence of global style, which can affect later tests. Thus, instead
97 // of executing them one at a time, the style tests are implemented as a
98 // queue that builds up a list of tests, and then executes them one at a
99 // time.
100 var SRIStyleTest = function(queue, pass, name, attrs, customCallback, altPas sValue) {
101 this.pass = pass;
102 this.name = "Style: " + name;
103 this.customCallback = customCallback || function () {};
104 this.attrs = attrs || {};
105 this.passValue = altPassValue || "rgb(255, 255, 0)";
106
107 this.test = async_test(this.name);
108
109 this.queue = queue;
110 this.queue.push(this);
111 }
112
113 SRIStyleTest.prototype.execute = function() {
114 var that = this;
115 var container = document.getElementById("container");
116 while (container.hasChildNodes()) {
117 container.removeChild(container.firstChild);
118 }
119
120 var test = this.test;
121
122 var div = document.createElement("div");
123 div.className = "testdiv";
124 var e = document.createElement("link");
125 this.attrs.rel = this.attrs.rel || "stylesheet";
126 for (var key in this.attrs) {
127 if (this.attrs.hasOwnProperty(key)) {
128 e.setAttribute(key, this.attrs[key]);
129 }
130 }
131
132 if(this.pass) {
133 e.addEventListener("load", function() {
134 test.step(function() {
135 var background = window.getComputedStyle(div, null).getPrope rtyValue("background-color");
136 assert_equals(background, that.passValue);
137 test.done();
138 });
139 });
140 e.addEventListener("error", function() {
141 test.step(function(){ assert_unreached("Good load fired error ha ndler.") })
142 });
143 } else {
144 e.addEventListener("load", function() {
145 test.step(function() { assert_unreached("Bad load succeeded.") })
146 });
147 e.addEventListener("error", function() {
148 test.step(function() {
149 var background = window.getComputedStyle(div, null).getPrope rtyValue("background-color");
150 assert_not_equals(background, that.passValue);
151 test.done();
152 });
153 });
154 }
155 container.appendChild(div);
156 container.appendChild(e);
157 this.customCallback(e, container);
158 };
159
160 var style_tests = [];
161 style_tests.execute = function() {
162 if (this.length > 0) {
163 this.shift().execute();
164 }
165 }
166 add_result_callback(function(res) {
167 if (res.name.startsWith("Style: ")) {
168 style_tests.execute();
169 }
170 });
171
172 // Script tests
173 new SRIScriptTest(
174 true,
175 "Same-origin with correct sha256 hash.",
176 "matching-digest.js",
177 "sha256-U9WYDtBWkcHx13+9UKk/3Q5eoqDc4YGxYb07EPWzb9E="
178 ).execute();
179
180 new SRIScriptTest(
181 true,
182 "Same-origin with correct sha384 hash.",
183 "matching-digest.js",
184 "sha384-BDRTPSywZFyxfLEAzaLcL4FfERBgJgXfEkuT0r04LG93Yqn1PWNYPZMomaqEfE3H "
185 ).execute();
186
187 new SRIScriptTest(
188 true,
189 "Same-origin with correct sha512 hash.",
190 "matching-digest.js",
191 "sha512-geByvIIRspbnUnwooKGNNCb39nvg+EW0O9hDScTXeo/9pVZztLSUYU3LNV6H0lZa po8bCJUpyPPLAzE9fDzpxg=="
192 ).execute();
193
194 new SRIScriptTest(
195 true,
196 "Same-origin with empty integrity.",
197 "matching-digest.js",
198 ""
199 ).execute();
200
201 new SRIScriptTest(
202 false,
203 "Same-origin with incorrect hash.",
204 "non-matching-digest.js",
205 "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
206 ).execute();
207
208 new SRIScriptTest(
209 true,
210 "Same-origin with multiple sha256 hashes, including correct.",
211 "matching-digest.js",
212 "sha256-U9WYDtBWkcHx13+9UKk/3Q5eoqDc4YGxYb07EPWzb9E= sha256-deadbeefdead beefdeadbeefdeadbeefdeadbeefdead"
213 ).execute();
214
215 new SRIScriptTest(
216 true,
217 "Same-origin with multiple sha256 hashes, including unknown algorithm.",
218 "matching-digest.js",
219 "sha256-U9WYDtBWkcHx13+9UKk/3Q5eoqDc4YGxYb07EPWzb9E= foo666-deadbeefdead beefdeadbeefdeadbeefdeadbeefdead"
220 ).execute();
221
222 new SRIScriptTest(
223 true,
224 "Same-origin with sha256 mismatch, sha512 match",
225 "matching-digest.js",
226 "sha512-geByvIIRspbnUnwooKGNNCb39nvg+EW0O9hDScTXeo/9pVZztLSUYU3LNV6H0lZa po8bCJUpyPPLAzE9fDzpxg== sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
227 ).execute();
228
229 new SRIScriptTest(
230 false,
231 "Same-origin with sha256 match, sha512 mismatch",
232 "matching-digest.js",
233 "sha512-deadbeefspbnUnwooKGNNCb39nvg+EW0O9hDScTXeo/9pVZztLSUYU3LNV6H0lZa po8bCJUpyPPLAzE9fDzpxg== sha256-U9WYDtBWkcHx13+9UKk/3Q5eoqDc4YGxYb07EPWzb9E="
234 ).execute();
235
236 new SRIScriptTest(
237 true,
238 "<crossorigin='anonymous'> with correct hash, ACAO: *",
239 xorigin_anon_script,
240 "sha256-51AjITq701Y0yKSx3/UoIKtIY2UQ9+H8WGyyMuOWOC0=",
241 "anonymous"
242 ).execute();
243
244 new SRIScriptTest(
245 false,
246 "<crossorigin='anonymous'> with incorrect hash, ACAO: *",
247 xorigin_anon_script,
248 "sha256-deadbeefcSLlbFZCj1OACLxTxVck2TOrBTEdUbwz1yU=",
249 "anonymous"
250 ).execute();
251
252 new SRIScriptTest(
253 true,
254 "<crossorigin='use-credentials'> with correct hash, CORS-eligible",
255 xorigin_creds_script,
256 "sha256-IaGApVboXPQxVSm2wVFmhMq1Yu37gWklajgMdxKLIvc=",
257 "use-credentials"
258 ).execute();
259
260 new SRIScriptTest(
261 false,
262 "<crossorigin='use-credentials'> with incorrect hash CORS-eligible",
263 xorigin_creds_script,
264 "sha256-deadbeef2S+pTRZgiw3DWrhC6JLDlt2zRyGpwH7unU8=",
265 "use-credentials"
266 ).execute();
267
268 new SRIScriptTest(
269 false,
270 "<crossorigin='anonymous'> with CORS-ineligible resource",
271 xorigin_ineligible_script,
272 "sha256-F5fXKTX7SiWjtgybxiBZIo2qhh2WiQnNx372E60XrOo=",
273 "anonymous"
274 ).execute();
275
276 new SRIScriptTest(
277 false,
278 "Cross-origin, not CORS request, with correct hash",
279 xorigin_anon_script,
280 "sha256-51AjITq701Y0yKSx3/UoIKtIY2UQ9+H8WGyyMuOWOC0="
281 ).execute();
282
283 new SRIScriptTest(
284 false,
285 "Cross-origin, not CORS request, with hash mismatch",
286 xorigin_anon_script,
287 "sha256-deadbeef01Y0yKSx3/UoIKtIY2UQ9+H8WGyyMuOWOC0="
288 ).execute();
289
290 new SRIScriptTest(
291 true,
292 "Cross-origin, empty integrity",
293 xorigin_anon_script,
294 ""
295 ).execute();
296
297 new SRIScriptTest(
298 true,
299 "Same-origin with correct hash, options.",
300 "matching-digest.js",
301 "sha256-U9WYDtBWkcHx13+9UKk/3Q5eoqDc4YGxYb07EPWzb9E=?foo=bar?spam=eggs"
302 ).execute();
303
304 new SRIScriptTest(
305 true,
306 "Same-origin with unknown algorithm only.",
307 "matching-digest.js",
308 "foo666-U9WYDtBWkcHx13+9UKk/3Q5eoqDc4YGxYb07EPWzb9E="
309 ).execute();
310
311 // Style tests
312 new SRIStyleTest(
313 style_tests,
314 true,
315 "Same-origin with correct sha256 hash",
316 {
317 href: "style.css?1",
318 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4="
319 }
320 );
321
322 new SRIStyleTest(
323 style_tests,
324 true,
325 "Same-origin with correct sha384 hash",
326 {
327 href: "style.css?2",
328 integrity: "sha384-wDAWxH4tOWBwAwHfBn9B7XuNmFxHTMeigAMwn0iVQ0zq3FtmY MLxihcGnU64CwcX"
329 }
330 );
331
332 new SRIStyleTest(
333 style_tests,
334 true,
335 "Same-origin with correct sha512 hash",
336 {
337 href: "style.css?3",
338 integrity: "sha512-9wXDjd6Wq3H6nPAhI9zOvG7mJkUr03MTxaO+8ztTKnfJif42l aL93Be/IF6YYZHHF4esitVYxiwpY2HSZX4l6w=="
339 }
340 );
341
342 new SRIStyleTest(
343 style_tests,
344 true,
345 "Same-origin with empty integrity",
346 {
347 href: "style.css?4",
348 integrity: ""
349 }
350 );
351
352 new SRIStyleTest(
353 style_tests,
354 false,
355 "Same-origin with incorrect hash.",
356 {
357 href: "style.css?5",
358 integrity: "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
359 }
360 );
361
362 new SRIStyleTest(
363 style_tests,
364 true,
365 "Same-origin with multiple sha256 hashes, including correct.",
366 {
367 href: "style.css?6",
368 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4= sha2 56-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
369 }
370 );
371
372 new SRIStyleTest(
373 style_tests,
374 true,
375 "Same-origin with multiple sha256 hashes, including unknown algorithm.",
376 {
377 href: "style.css?7",
378 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4= foo6 66-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
379 }
380 );
381
382 new SRIStyleTest(
383 style_tests,
384 true,
385 "Same-origin with sha256 mismatch, sha512 match",
386 {
387 href: "style.css?8",
388 integrity: "sha512-9wXDjd6Wq3H6nPAhI9zOvG7mJkUr03MTxaO+8ztTKnfJif42l aL93Be/IF6YYZHHF4esitVYxiwpY2HSZX4l6w== sha256-deadbeefdeadbeefdeadbeefdeadbeefd eadbeefdead"
389 }
390 );
391
392 new SRIStyleTest(
393 style_tests,
394 false,
395 "Same-origin with sha256 match, sha512 mismatch",
396 {
397 href: "style.css?9",
398 integrity: "sha512-deadbeef9wXDjd6Wq3H6nPAhI9zOvG7mJkUr03MTxaO+8ztTK nfJif42laL93Be/IF6YYZHHF4esitVYxiwpY2== sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7Y Zk7gyCWUV4="
399 }
400 );
401
402 new SRIStyleTest(
403 style_tests,
404 true,
405 "<crossorigin='anonymous'> with correct hash, ACAO: *",
406 {
407 href: xorigin_anon_style + '&1',
408 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
409 crossorigin: "anonymous"
410 }
411 );
412
413 new SRIStyleTest(
414 style_tests,
415 false,
416 "<crossorigin='anonymous'> with incorrect hash, ACAO: *",
417 {
418 href: xorigin_anon_style + '&2',
419 integrity: "sha256-deadbeefCzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk=",
420 crossorigin: "anonymous"
421 }
422 );
423
424 new SRIStyleTest(
425 style_tests,
426 true,
427 "<crossorigin='use-credentials'> with correct hash, CORS-eligible",
428 {
429 href: xorigin_creds_style + '&1',
430 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
431 crossorigin: "use-credentials"
432 }
433 );
434
435 new SRIStyleTest(
436 style_tests,
437 false,
438 "<crossorigin='use-credentials'> with incorrect hash CORS-eligible",
439 {
440 href: xorigin_creds_style + '&2',
441 integrity: "sha256-deadbeefCzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk=",
442 crossorigin: "use-credentials"
443 }
444 );
445
446 new SRIStyleTest(
447 style_tests,
448 false,
449 "<crossorigin='anonymous'> with CORS-ineligible resource",
450 {
451 href: xorigin_ineligible_style + '&1',
452 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
453 crossorigin: "anonymous"
454 }
455 );
456
457 new SRIStyleTest(
458 style_tests,
459 false,
460 "Cross-origin, not CORS request, with correct hash",
461 {
462 href: xorigin_anon_style + '&3',
463 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4="
464 }
465 );
466
467 new SRIStyleTest(
468 style_tests,
469 false,
470 "Cross-origin, not CORS request, with hash mismatch",
471 {
472 href: xorigin_anon_style + '&4',
473 integrity: "sha256-deadbeefCzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk="
474 }
475 );
476
477 new SRIStyleTest(
478 style_tests,
479 true,
480 "Cross-origin, empty integrity",
481 {
482 href: xorigin_anon_style + '&5',
483 integrity: ""
484 }
485 );
486
487 new SRIStyleTest(
488 style_tests,
489 true,
490 "Same-origin with correct hash, options.",
491 {
492 href: "style.css?10",
493 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=?foo= bar?spam=eggs"
494 }
495 );
496
497 new SRIStyleTest(
498 style_tests,
499 true,
500 "Same-origin with unknown algorithm only.",
501 {
502 href: "style.css?11",
503 integrity: "foo666-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=?foo= bar?spam=eggs"
504 }
505 );
506
507 new SRIStyleTest(
508 style_tests,
509 true,
510 "Same-origin with correct sha256 hash, rel='stylesheet license'",
511 {
512 href: "style.css?12",
513 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
514 rel: "stylesheet license"
515 }
516 );
517
518 new SRIStyleTest(
519 style_tests,
520 true,
521 "Same-origin with correct sha256 hash, rel='license stylesheet'",
522 {
523 href: "style.css?13",
524 integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
525 rel: "license stylesheet"
526 }
527 );
528
529 new SRIStyleTest(
530 style_tests,
531 true,
532 "Same-origin with correct sha256 and sha512 hash, rel='alternate stylesh eet' enabled",
533 {
534 href: "alternate.css?1",
535 title: "alt",
536 type: "text/css",
537 class: "alternate",
538 disabled: "disabled",
539 rel: "alternate stylesheet",
540 integrity: "sha256-phbz83bWhnLig+d2VPKrRrTRyhqoDRo1ruGqZLZ0= sha512- 8OYEB7ktnzcb6h+kB9CUIuc8qvKIyLpygRJdQSEEycRy74dUsB+Yu9rSjpOPjRUblle8WWX9Gn7v39LK 2Oceig==",
541 },
542 function (link, container) {
543 var alternate = document.querySelector('link.alternate');
544 alternate.disabled = false;
545 },
546 "rgb(255, 0, 0)"
547 );
548
549 new SRIStyleTest(
550 style_tests,
551 false,
552 "Same-origin with incorrect sha256 and sha512 hash, rel='alternate style sheet' enabled",
553 {
554 href: "alternate.css?2",
555 title: "alt",
556 type: "text/css",
557 class: "alternate",
558 disabled: "disabled",
559 rel: "alternate stylesheet",
560 integrity: "sha256-fail83bWhnLig+d2VPKrRrTRyhqoDRo1ruGqZLZ0= sha512- failB7ktnzcb6h+kB9CUIuc8qvKIyLpygRJdQSEEycRy74dUsB+Yu9rSjpOPjRUblle8WWX9Gn7v39LK 2Oceig==",
561 },
562 function (link, container) {
563 var alternate = document.querySelector('link.alternate');
564 alternate.disabled = false;
565 }
566 );
567
568 style_tests.execute();
569
570 </script>
571 <!-- TODO check cache-poisoned resources, transfer-encoding, 3xx redirect
572 to resource with matching hash, and cross-origin leakage test as in sec5.3.
573 -->
OLDNEW
« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/subresource-integrity/style.css ('k') | third_party/WebKit/LayoutTests/external/wpt/web-animations/animation-model/animation-types/addition-per-property.html » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698