CSP: Enable whitelisting of external JavaScript via hashes

third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html

Index: third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html
diff --git a/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html
new file mode 100644
index 0000000000000000000000000000000000000000..e4fa5273f9777a68802606986a0525dde353eeab
--- /dev/null
+++ b/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/script-src/script-src-sri_hash.sub.html
@@ -0,0 +1,115 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>External scripts with matching SRI hash should be allowed.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' -->
+</head>
+
+<body>
+    <h1>External scripts with matching SRI hash should be allowed.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        var port = "{{ports[http][0]}}";
+        if (location.protocol === "https:")
+          port = "{{ports[https][0]}}";
+        var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port;
+
+        // Test name, src, integrity, expected to run.
+        var test_cases = [
+          [ 'matching integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=',
+            true ],
+          [ 'multiple matching integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=',
+            true ],
+          [ 'no integrity',
+            './simpleSourcedScript.js',
+            '',
+            false ],
+          [ 'matching plus unsupported integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz',
+            true ],
+          [ 'mismatched integrity',
+            './simpleSourcedScript.js',
+            'sha256-xyz',
+            false ],
+          [ 'multiple mismatched integrity',
+            './simpleSourcedScript.js',
+            'sha256-xyz sha256-zyx',
+            false ],
+          [ 'partially matching integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz',
+            false ],
+          [ 'crossorigin no integrity but whitelisted host',
+            crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
+            '',
+            true ],
+          [ 'crossorigin mismatched integrity but whitelisted host',
+            crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
+            'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=',
+            true ],
+        ];
+
+        test(_ => {
+          for (item of test_cases) {
+            async_test(t => {
+              var s = document.createElement('script');
+              s.id = item[0].replace(' ', '-');
+              s.src = item[1];
+              s.integrity = item[2];
+              s.setAttribute('crossorigin', 'anonymous');
+
+              if (item[3]) {
+                s.onerror = t.unreached_func("Script should load! " + s.src);
+                window.addEventListener('message', t.step_func(e => {
+                  if (e.data == s.id)
+                    t.done();
+                }));
+              } else {
+                s.onerror = t.step_func_done();
+                window.addEventListener('message', t.step_func(e => {
+                  if (e.data == s.id)
+                    assert_unreached("Script should not execute!");
+                }));
+              }
+
+              document.body.appendChild(s);
+            }, item[0]);
+          }
+        }, "Load all the tests.");
+    </script>
+
+    <script nonce='dummy'>

[Marc Treib, 2017/04/07 09:03:26]

Here: New version with postMessage, but will time out rather than fail if
something goes wrong.

+        async_test(t => {
+          window.addEventListener('message', t.step_func(e => {
+            if (e.data == 'external-script')
+              t.done();
+          }));
+        }, 'v2: External script in a script tag with matching SRI hash should run.');
+    </script>
+    <script id='external-script' src='./simpleSourcedScript.js'
+        integrity="sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c="></script>
+
+    <script nonce='dummy'>

[Marc Treib, 2017/04/07 09:03:26]

Here: Old version with global variable (but it's now the only test that uses
it).

+        var externalRan = false;
+    </script>
+    <script src='./externalScript.js'
+        integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
+    <script nonce='dummy'>
+        test(function() {
+            assert_true(externalRan, 'External script ran.');
+        }, 'v1: External script in a script tag with matching SRI hash should run.');
+    </script>
+
+</body>
+
+</html>