third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.html - Issue 2784753003: CSP: Enable whitelisting of external JavaScript via hashes

Side by Side Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.html

Issue 2784753003: CSP: Enable whitelisting of external JavaScript via hashes (Closed)

Patch Set: unit_tests++ Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/externalScript.js ('K') | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/externalScript.js ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.html.headers » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 <!DOCTYPE HTML>

	2 <html>

	3

	4 <head>

	5 <title>External scripts with matching SRI hash should be allowed.</title>

	6 <script src='/resources/testharness.js' nonce='dummy'></script>

	7 <script src='/resources/testharnessreport.js' nonce='dummy'></script>

	8

	9 <!-- CSP served: script-src 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgk V406VJvhSk79Gw6U0=' -->

	10 </head>

	11

	12 <body>

	13 <h1>External scripts with matching SRI hash should be allowed.</h1>

	14 <div id='log'></div>

	15

	16 <script nonce='dummy'>

	17 window.addEventListener('securitypolicyviolation', function(e) {

	18 assert_unreached('No CSP violation report has fired.');

	19 });

	20

	21 var externalRan = false;

	22 </script>

	23

	24 <script src='externalScript.js'

	25 integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script >

	26 <script nonce='dummy'>

	27 test(function() {

	28 assert_true(externalRan, 'External script ran.');

	29 }, 'External script in a script tag with matching SRI hash should run.') ;

	30 </script>

	31

	32 <script nonce='dummy'>

	33 externalRan = false;

	34 async_test(function(t) {

	35 var e = document.createElement('script');

	36 e.id = 'appendChild';

	37 e.src = 'externalScript.js';

	38 e.setAttribute(

	39 'integrity',

	40 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=');

	41 e.onload = t.step_func_done(function(e) {

	42 assert_true(externalRan, 'External script ran.');

	43 });

	44 e.onerror = t.unreached_func('Error should not be triggered.');

	45 document.body.appendChild(e);

	46

	47 }, "Dynamically-inserted external script with matching SRI hash should r un.");

	48 </script>
	Mike West 2017/04/06 10:26:35 While I think this test doesn't actually run into While I think this test doesn't actually run into race conditions, it reads as pretty racy due to the way you're using the same variable for everything. Rather than setting a property on the global object, how about listening for a message? You could include `.../content-security-policy/script-src/simpleSourcedScript.js` (which should also be in `.../support/` :( ), add an `id` attribute on the script, and wait for a message. Something like: ``` var test_cases = [ [ 'matching integrity', 'sha256-abc', true ], [ 'multiple matching integrity', 'sha256-abc sha512-abcdef', true ], [ 'no integrity', '', false ], [ 'mismatched integrity', 'sha256-xyz', false ], [ 'multiple mismatched intgerity', 'sha256-xyz sha256-zyx', false ], [ 'partially matching integrity', 'sha256-abc sha256-xyz', false ], ]; test(_ => { for (item of test_cases) { async_test(t => { var s = document.createElement('script'); s.id = item[0].replace(' ', '-'); s.src = './support/simpleSourcedScript.js'; s.integrity = item[1]; if (item[2]) { s.onerror = t.unreached_func("Script should load!"); window.addEventListener('message', t.step_func(e => { if (e.data == s.id) t.done(); })); } else { s.onerror = t.step_func_done(); window.addEventListener('message', t.step_func(e => { if (e.data == s.id) assert_unreached("Script should not execute!"); })); } document.body.appendChild(s); }, item[0]); } }, "Load all the tests."); ``` We should also verify that a policy that contains an origin allows scripts from that origin to execute even if the integrity attribute doesn't match the policy, etc. Marc Treib 2017/04/06 12:26:30 Thanks! With my (lack of) JS skills, it would've p Show quoted text On 2017/04/06 10:26:35, Mike West (OOO until 4th) wrote: > While I think this test doesn't actually run into race conditions, it reads as > pretty racy due to the way you're using the same variable for everything. Rather > than setting a property on the global object, how about listening for a message? > You could include > `.../content-security-policy/script-src/simpleSourcedScript.js` (which should > also be in `.../support/` :( ), add an `id` attribute on the script, and wait > for a message. Something like: > > ``` > var test_cases = [ > [ 'matching integrity', 'sha256-abc', true ], > [ 'multiple matching integrity', 'sha256-abc sha512-abcdef', true ], > [ 'no integrity', '', false ], > [ 'mismatched integrity', 'sha256-xyz', false ], > [ 'multiple mismatched intgerity', 'sha256-xyz sha256-zyx', false ], > [ 'partially matching integrity', 'sha256-abc sha256-xyz', false ], > ]; > > test(_ => { > for (item of test_cases) { > async_test(t => { > var s = document.createElement('script'); > s.id = item[0].replace(' ', '-'); > s.src = './support/simpleSourcedScript.js'; > s.integrity = item[1]; > > if (item[2]) { > s.onerror = t.unreached_func("Script should load!"); > window.addEventListener('message', t.step_func(e => { > if (e.data == s.id) > t.done(); > })); > } else { > s.onerror = t.step_func_done(); > window.addEventListener('message', t.step_func(e => { > if (e.data == s.id) > assert_unreached("Script should not execute!"); > })); > } > > document.body.appendChild(s); > }, item[0]); > } > }, "Load all the tests."); > ``` Thanks! With my (lack of) JS skills, it would've probably taken me hours to piece together something like this. I think it's not really possible to test non-dynamically-inserted scripts this way though, so I've left that part in. I tried rewriting it to the postMessage style too, but there I don't know how to verify that the script didn't run, so in the error case that test will time out rather than properly fail :( Any ideas? Or should I just stick with the global variable there? (Now there'd be only the one test that uses it.) Show quoted text > We should also verify that a policy that contains an origin allows scripts from > that origin to execute even if the integrity attribute doesn't match the policy, > etc. (Not done yet; I'm looking into how to do that exactly.) Marc Treib 2017/04/06 16:21:41 Done now, PTAL! Show quoted text On 2017/04/06 12:26:30, Marc Treib wrote: > On 2017/04/06 10:26:35, Mike West (OOO until 4th) wrote: > > While I think this test doesn't actually run into race conditions, it reads as > > pretty racy due to the way you're using the same variable for everything. > Rather > > than setting a property on the global object, how about listening for a > message? > > You could include > > `.../content-security-policy/script-src/simpleSourcedScript.js` (which should > > also be in `.../support/` :( ), add an `id` attribute on the script, and wait > > for a message. Something like: > > > > ``` > > var test_cases = [ > > [ 'matching integrity', 'sha256-abc', true ], > > [ 'multiple matching integrity', 'sha256-abc sha512-abcdef', true ], > > [ 'no integrity', '', false ], > > [ 'mismatched integrity', 'sha256-xyz', false ], > > [ 'multiple mismatched intgerity', 'sha256-xyz sha256-zyx', false ], > > [ 'partially matching integrity', 'sha256-abc sha256-xyz', false ], > > ]; > > > > test(_ => { > > for (item of test_cases) { > > async_test(t => { > > var s = document.createElement('script'); > > s.id = item[0].replace(' ', '-'); > > s.src = './support/simpleSourcedScript.js'; > > s.integrity = item[1]; > > > > if (item[2]) { > > s.onerror = t.unreached_func("Script should load!"); > > window.addEventListener('message', t.step_func(e => { > > if (e.data == s.id) > > t.done(); > > })); > > } else { > > s.onerror = t.step_func_done(); > > window.addEventListener('message', t.step_func(e => { > > if (e.data == s.id) > > assert_unreached("Script should not execute!"); > > })); > > } > > > > document.body.appendChild(s); > > }, item[0]); > > } > > }, "Load all the tests."); > > ``` > > Thanks! With my (lack of) JS skills, it would've probably taken me hours to > piece together something like this. > > I think it's not really possible to test non-dynamically-inserted scripts this > way though, so I've left that part in. I tried rewriting it to the postMessage > style too, but there I don't know how to verify that the script didn't run, so > in the error case that test will time out rather than properly fail :( > Any ideas? Or should I just stick with the global variable there? (Now there'd > be only the one test that uses it.) > > > We should also verify that a policy that contains an origin allows scripts > from > > that origin to execute even if the integrity attribute doesn't match the > policy, > > etc. > > (Not done yet; I'm looking into how to do that exactly.) Done now, PTAL!
	49

	50 </body>

	51

	52 </html>

OLD	NEW