Chromium Code Reviews Chromium Code Reviews
Issue 2784753003:
CSP: Enable whitelisting of external JavaScript via hashes (Closed)
| Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.html |
| diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.html |
| new file mode 100644 |
| index 0000000000000000000000000000000000000000..b8cdfc203e01168eb399759e20f59672940bcdaa |
| --- /dev/null |
| +++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.html |
| @@ -0,0 +1,88 @@ |
| +<!DOCTYPE HTML> |
| +<html> |
| + |
| +<head> |
| + <title>External scripts with matching SRI hash should be allowed.</title> |
| + <script src='/resources/testharness.js' nonce='dummy'></script> |
| + <script src='/resources/testharnessreport.js' nonce='dummy'></script> |
| + |
| + <!-- CSP served: script-src 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' --> |
| +</head> |
| + |
| +<body> |
| + <h1>External scripts with matching SRI hash should be allowed.</h1> |
| + <div id='log'></div> |
| + |
| + <script nonce='dummy'> |
| + // Test name, integrity, expected to run. |
| + var test_cases = [ |
| + [ 'matching integrity', |
| + 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=', |
| + true ], |
| + [ 'multiple matching integrity', |
| + 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=', |
| + true ], |
| + [ 'no integrity', '', false ], |
| + [ 'matching plus unsupported integrity', |
| + 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz', |
| + true ], |
| + [ 'mismatched integrity', 'sha256-xyz', false ], |
| + [ 'multiple mismatched intgerity', 'sha256-xyz sha256-zyx', false ], |
| + [ 'partially matching integrity', |
| + 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz', |
| + false ], |
| + ]; |
| + |
| + test(_ => { |
| + for (item of test_cases) { |
| + async_test(t => { |
| + var s = document.createElement('script'); |
| + s.id = item[0].replace(' ', '-'); |
| + s.src = './simpleSourcedScript.js'; |
| + s.integrity = item[1]; |
| + |
| + if (item[2]) { |
| + s.onerror = t.unreached_func("Script should load!"); |
| + window.addEventListener('message', t.step_func(e => { |
| + if (e.data == s.id) |
| + t.done(); |
| + })); |
| + } else { |
| + s.onerror = t.step_func_done(); |
| + window.addEventListener('message', t.step_func(e => { |
| + if (e.data == s.id) |
| + assert_unreached("Script should not execute!"); |
| + })); |
| + } |
| + |
| + document.body.appendChild(s); |
| + }, item[0]); |
| + } |
| + }, "Load all the tests."); |
| + </script> |
| + |
| + <script nonce='dummy'> |
|
Marc Treib
2017/04/06 12:26:30
This is the new attempt for the parser-inserted-sc
|
| + async_test(t => { |
| + window.addEventListener('message', t.step_func(e => { |
| + if (e.data == 'external-script') |
| + t.done(); |
| + })); |
| + }, 'v2: External script in a script tag with matching SRI hash should run.'); |
| + </script> |
| + <script id='external-script' src='./simpleSourcedScript.js' |
| + integrity="sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c="></script> |
| + |
| + <script nonce='dummy'> |
|
Marc Treib
2017/04/06 12:26:30
This is the previous version of the parser-inserte
|
| + var externalRan = false; |
| + </script> |
| + <script src='./externalScript.js' |
| + integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script> |
| + <script nonce='dummy'> |
| + test(function() { |
| + assert_true(externalRan, 'External script ran.'); |
| + }, 'v1: External script in a script tag with matching SRI hash should run.'); |
| + </script> |
| + |
| +</body> |
| + |
| +</html> |
