third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html - Issue 2784753003: CSP: Enable whitelisting of external JavaScript via hashes

Side by Side Diff: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html

Issue 2784753003: CSP: Enable whitelisting of external JavaScript via hashes (Closed)

Patch Set: add tests for whitelisted host Created 3 years, 8 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/externalScript.js ('k') | third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 <!DOCTYPE HTML>

	2 <html>

	3

	4 <head>

	5 <title>External scripts with matching SRI hash should be allowed.</title>

	6 <script src='/resources/testharness.js' nonce='dummy'></script>

	7 <script src='/resources/testharnessreport.js' nonce='dummy'></script>

	8

	9 <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3Ktq OuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+ haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3 Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' -->

	10 </head>

	11

	12 <body>

	13 <h1>External scripts with matching SRI hash should be allowed.</h1>

	14 <div id='log'></div>

	15

	16 <script nonce='dummy'>

	17 var port = "{{ports[http][0]}}";

	18 if (location.protocol === "https:")

	19 port = "{{ports[https][0]}}";

	20 var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port;

	21

	22 // Test name, src, integrity, expected to run.

	23 var test_cases = [

	24 [ 'matching integrity',

	25 './simpleSourcedScript.js',

	26 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=',

	27 true ],

	28 [ 'multiple matching integrity',

	29 './simpleSourcedScript.js',

	30 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV 5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' ,

	31 true ],

	32 [ 'no integrity',

	33 './simpleSourcedScript.js',

	34 '',

	35 false ],

	36 [ 'matching plus unsupported integrity',

	37 './simpleSourcedScript.js',

	38 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz',

	39 true ],

	40 [ 'mismatched integrity',

	41 './simpleSourcedScript.js',

	42 'sha256-xyz',

	43 false ],

	44 [ 'multiple mismatched integrity',

	45 './simpleSourcedScript.js',

	46 'sha256-xyz sha256-zyx',

	47 false ],

	48 [ 'partially matching integrity',

	49 './simpleSourcedScript.js',

	50 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz',

	51 false ],

	52 [ 'crossorigin no integrity but whitelisted host',

	53 crossorigin_base + '/content-security-policy/script-src/crossoriginS cript.js',

	54 '',

	55 true ],

	56 [ 'crossorigin mismatched integrity but whitelisted host',

	57 crossorigin_base + '/content-security-policy/script-src/crossoriginS cript.js',

	58 'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=',

	59 true ],

	60 ];

	61

	62 test(_ => {

	63 for (item of test_cases) {

	64 async_test(t => {

	65 var s = document.createElement('script');

	66 s.id = item[0].replace(' ', '-');

	67 s.src = item[1];

	68 s.integrity = item[2];

	69 s.setAttribute('crossorigin', 'anonymous');

	70

	71 if (item[3]) {

	72 s.onerror = t.unreached_func("Script should load! " + s.src);

	73 window.addEventListener('message', t.step_func(e => {

	74 if (e.data == s.id)

	75 t.done();

	76 }));

	77 } else {

	78 s.onerror = t.step_func_done();

	79 window.addEventListener('message', t.step_func(e => {

	80 if (e.data == s.id)

	81 assert_unreached("Script should not execute!");

	82 }));

	83 }

	84

	85 document.body.appendChild(s);

	86 }, item[0]);

	87 }

	88 }, "Load all the tests.");

	89 </script>

	90

	91 <script nonce='dummy'>
	Marc Treib 2017/04/07 09:03:26 Here: New version with postMessage, but will time Here: New version with postMessage, but will time out rather than fail if something goes wrong.
	92 async_test(t => {

	93 window.addEventListener('message', t.step_func(e => {

	94 if (e.data == 'external-script')

	95 t.done();

	96 }));

	97 }, 'v2: External script in a script tag with matching SRI hash should ru n.');

	98 </script>

	99 <script id='external-script' src='./simpleSourcedScript.js'

	100 integrity="sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c="></script >

	101

	102 <script nonce='dummy'>
	Marc Treib 2017/04/07 09:03:26 Here: Old version with global variable (but it's n Here: Old version with global variable (but it's now the only test that uses it).
	103 var externalRan = false;

	104 </script>

	105 <script src='./externalScript.js'

	106 integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script >

	107 <script nonce='dummy'>

	108 test(function() {

	109 assert_true(externalRan, 'External script ran.');

	110 }, 'v1: External script in a script tag with matching SRI hash should ru n.');

	111 </script>

	112

	113 </body>

	114

	115 </html>

OLD	NEW