OLD | NEW |
---|---|
(Empty) | |
1 <!DOCTYPE HTML> | |
2 <html> | |
3 | |
4 <head> | |
5 <title>External scripts with matching SRI hash should be allowed.</title> | |
6 <script src='/resources/testharness.js' nonce='dummy'></script> | |
7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> | |
8 | |
9 <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3Ktq OuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+ haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3 Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' --> | |
10 </head> | |
11 | |
12 <body> | |
13 <h1>External scripts with matching SRI hash should be allowed.</h1> | |
14 <div id='log'></div> | |
15 | |
16 <script nonce='dummy'> | |
17 var port = "{{ports[http][0]}}"; | |
18 if (location.protocol === "https:") | |
19 port = "{{ports[https][0]}}"; | |
20 var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port; | |
21 | |
22 // Test name, src, integrity, expected to run. | |
23 var test_cases = [ | |
24 [ 'matching integrity', | |
25 './simpleSourcedScript.js', | |
26 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=', | |
27 true ], | |
28 [ 'multiple matching integrity', | |
29 './simpleSourcedScript.js', | |
30 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV 5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' , | |
31 true ], | |
32 [ 'no integrity', | |
33 './simpleSourcedScript.js', | |
34 '', | |
35 false ], | |
36 [ 'matching plus unsupported integrity', | |
37 './simpleSourcedScript.js', | |
38 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz', | |
39 true ], | |
40 [ 'mismatched integrity', | |
41 './simpleSourcedScript.js', | |
42 'sha256-xyz', | |
43 false ], | |
44 [ 'multiple mismatched integrity', | |
45 './simpleSourcedScript.js', | |
46 'sha256-xyz sha256-zyx', | |
47 false ], | |
48 [ 'partially matching integrity', | |
49 './simpleSourcedScript.js', | |
50 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz', | |
51 false ], | |
52 [ 'crossorigin no integrity but whitelisted host', | |
53 crossorigin_base + '/content-security-policy/script-src/crossoriginS cript.js', | |
54 '', | |
55 true ], | |
56 [ 'crossorigin mismatched integrity but whitelisted host', | |
57 crossorigin_base + '/content-security-policy/script-src/crossoriginS cript.js', | |
58 'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=', | |
59 true ], | |
60 ]; | |
61 | |
62 test(_ => { | |
63 for (item of test_cases) { | |
64 async_test(t => { | |
65 var s = document.createElement('script'); | |
66 s.id = item[0].replace(' ', '-'); | |
67 s.src = item[1]; | |
68 s.integrity = item[2]; | |
69 s.setAttribute('crossorigin', 'anonymous'); | |
70 | |
71 if (item[3]) { | |
72 s.onerror = t.unreached_func("Script should load! " + s.src); | |
73 window.addEventListener('message', t.step_func(e => { | |
74 if (e.data == s.id) | |
75 t.done(); | |
76 })); | |
77 } else { | |
78 s.onerror = t.step_func_done(); | |
79 window.addEventListener('message', t.step_func(e => { | |
80 if (e.data == s.id) | |
81 assert_unreached("Script should not execute!"); | |
82 })); | |
83 } | |
84 | |
85 document.body.appendChild(s); | |
86 }, item[0]); | |
87 } | |
88 }, "Load all the tests."); | |
89 </script> | |
90 | |
91 <script nonce='dummy'> | |
Marc Treib
2017/04/07 09:03:26
Here: New version with postMessage, but will time
| |
92 async_test(t => { | |
93 window.addEventListener('message', t.step_func(e => { | |
94 if (e.data == 'external-script') | |
95 t.done(); | |
96 })); | |
97 }, 'v2: External script in a script tag with matching SRI hash should ru n.'); | |
98 </script> | |
99 <script id='external-script' src='./simpleSourcedScript.js' | |
100 integrity="sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c="></script > | |
101 | |
102 <script nonce='dummy'> | |
Marc Treib
2017/04/07 09:03:26
Here: Old version with global variable (but it's n
| |
103 var externalRan = false; | |
104 </script> | |
105 <script src='./externalScript.js' | |
106 integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script > | |
107 <script nonce='dummy'> | |
108 test(function() { | |
109 assert_true(externalRan, 'External script ran.'); | |
110 }, 'v1: External script in a script tag with matching SRI hash should ru n.'); | |
111 </script> | |
112 | |
113 </body> | |
114 | |
115 </html> | |
OLD | NEW |