CSP: Enable whitelisting of external JavaScript via hashes

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.html

+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>External scripts with matching SRI hash should be allowed.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' -->
+</head>
+
+<body>
+    <h1>External scripts with matching SRI hash should be allowed.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        // Test name, integrity, expected to run.
+        var test_cases = [
+          [ 'matching integrity',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=',
+            true ],
+          [ 'multiple matching integrity',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=',
+            true ],
+          [ 'no integrity', '', false ],
+          [ 'matching plus unsupported integrity',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz',
+            true ],
+          [ 'mismatched integrity', 'sha256-xyz', false ],
+          [ 'multiple mismatched intgerity', 'sha256-xyz sha256-zyx', false ],
+          [ 'partially matching integrity',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz',
+            false ],
+        ];
+
+        test(_ => {
+          for (item of test_cases) {
+            async_test(t => {
+              var s = document.createElement('script');
+              s.id = item[0].replace(' ', '-');
+              s.src = './simpleSourcedScript.js';
+              s.integrity = item[1];
+
+              if (item[2]) {
+                s.onerror = t.unreached_func("Script should load!");
+                window.addEventListener('message', t.step_func(e => {
+                  if (e.data == s.id)
+                    t.done();
+                }));
+              } else {
+                s.onerror = t.step_func_done();
+                window.addEventListener('message', t.step_func(e => {
+                  if (e.data == s.id)
+                    assert_unreached("Script should not execute!");
+                }));
+              }
+
+              document.body.appendChild(s);
+            }, item[0]);
+          }
+        }, "Load all the tests.");
+    </script>
+
+    <script nonce='dummy'>

[Marc Treib, 2017/04/06 12:26:30]

This is the new attempt for the parser-inserted-script-tag test, with
postMessage. I don't know how to properly detect failure here; if something's
wrong, the test would just time out.

+        async_test(t => {
+          window.addEventListener('message', t.step_func(e => {
+            if (e.data == 'external-script')
+              t.done();
+          }));
+        }, 'v2: External script in a script tag with matching SRI hash should run.');
+    </script>
+    <script id='external-script' src='./simpleSourcedScript.js'
+        integrity="sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c="></script>
+
+    <script nonce='dummy'>

[Marc Treib, 2017/04/06 12:26:30]

This is the previous version of the parser-inserted-script-tag test, with the
global variable. But it's now the only test that uses that variable.

+        var externalRan = false;
+    </script>
+    <script src='./externalScript.js'
+        integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
+    <script nonce='dummy'>
+        test(function() {
+            assert_true(externalRan, 'External script ran.');
+        }, 'v1: External script in a script tag with matching SRI hash should run.');
+    </script>
+
+</body>
+
+</html>