OLD | NEW |
(Empty) | |
| 1 <!DOCTYPE HTML> |
| 2 <html> |
| 3 |
| 4 <head> |
| 5 <title>External scripts with matching SRI hash should be allowed.</title> |
| 6 <script src='/resources/testharness.js' nonce='dummy'></script> |
| 7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> |
| 8 |
| 9 <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3Ktq
OuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+
haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3
Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' --> |
| 10 </head> |
| 11 |
| 12 <body> |
| 13 <h1>External scripts with matching SRI hash should be allowed.</h1> |
| 14 <div id='log'></div> |
| 15 |
| 16 <script nonce='dummy'> |
| 17 var port = "{{ports[http][0]}}"; |
| 18 if (location.protocol === "https:") |
| 19 port = "{{ports[https][0]}}"; |
| 20 var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port; |
| 21 |
| 22 // Test name, src, integrity, expected to run. |
| 23 var test_cases = [ |
| 24 [ 'matching integrity', |
| 25 './simpleSourcedScript.js', |
| 26 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=', |
| 27 true ], |
| 28 [ 'multiple matching integrity', |
| 29 './simpleSourcedScript.js', |
| 30 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV
5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA='
, |
| 31 true ], |
| 32 [ 'no integrity', |
| 33 './simpleSourcedScript.js', |
| 34 '', |
| 35 false ], |
| 36 [ 'matching plus unsupported integrity', |
| 37 './simpleSourcedScript.js', |
| 38 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz', |
| 39 true ], |
| 40 [ 'mismatched integrity', |
| 41 './simpleSourcedScript.js', |
| 42 'sha256-xyz', |
| 43 false ], |
| 44 [ 'multiple mismatched integrity', |
| 45 './simpleSourcedScript.js', |
| 46 'sha256-xyz sha256-zyx', |
| 47 false ], |
| 48 [ 'partially matching integrity', |
| 49 './simpleSourcedScript.js', |
| 50 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz', |
| 51 false ], |
| 52 [ 'crossorigin no integrity but whitelisted host', |
| 53 crossorigin_base + '/content-security-policy/script-src/crossoriginS
cript.js', |
| 54 '', |
| 55 true ], |
| 56 [ 'crossorigin mismatched integrity but whitelisted host', |
| 57 crossorigin_base + '/content-security-policy/script-src/crossoriginS
cript.js', |
| 58 'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=', |
| 59 true ], |
| 60 ]; |
| 61 |
| 62 test(_ => { |
| 63 for (item of test_cases) { |
| 64 async_test(t => { |
| 65 var s = document.createElement('script'); |
| 66 s.id = item[0].replace(' ', '-'); |
| 67 s.src = item[1]; |
| 68 s.integrity = item[2]; |
| 69 s.setAttribute('crossorigin', 'anonymous'); |
| 70 |
| 71 if (item[3]) { |
| 72 s.onerror = t.unreached_func("Script should load! " + s.src); |
| 73 window.addEventListener('message', t.step_func(e => { |
| 74 if (e.data == s.id) |
| 75 t.done(); |
| 76 })); |
| 77 } else { |
| 78 s.onerror = t.step_func_done(); |
| 79 window.addEventListener('message', t.step_func(e => { |
| 80 if (e.data == s.id) |
| 81 assert_unreached("Script should not execute!"); |
| 82 })); |
| 83 } |
| 84 |
| 85 document.body.appendChild(s); |
| 86 }, item[0]); |
| 87 } |
| 88 }, "Load all the tests."); |
| 89 </script> |
| 90 |
| 91 <script nonce='dummy'> |
| 92 var externalRan = false; |
| 93 </script> |
| 94 <script src='./externalScript.js' |
| 95 integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script
> |
| 96 <script nonce='dummy'> |
| 97 test(function() { |
| 98 assert_true(externalRan, 'External script ran.'); |
| 99 }, 'External script in a script tag with matching SRI hash should run.')
; |
| 100 </script> |
| 101 |
| 102 </body> |
| 103 |
| 104 </html> |
OLD | NEW |