Enable SRI only for same origin and CORS content.

Source/core/frame/SubresourceIntegrityTest.cpp

Index: Source/core/frame/SubresourceIntegrityTest.cpp
diff --git a/Source/core/frame/SubresourceIntegrityTest.cpp b/Source/core/frame/SubresourceIntegrityTest.cpp
index 560a37f5b76b8031a96c674f59c0863af545b0f0..a39271509d8e1b1a01abb22cdaa88c66f63a6750 100644
--- a/Source/core/frame/SubresourceIntegrityTest.cpp
+++ b/Source/core/frame/SubresourceIntegrityTest.cpp
@@ -7,6 +7,8 @@
 
 #include "core/HTMLNames.h"
 #include "core/dom/Document.h"
+#include "core/fetch/Resource.h"
+#include "core/fetch/ResourcePtr.h"
 #include "core/html/HTMLScriptElement.h"
 #include "platform/Crypto.h"
 #include "platform/weborigin/KURL.h"
@@ -136,16 +138,28 @@ protected:
         EXPECT_FALSE(SubresourceIntegrity::parseIntegrityAttribute(integrityAttribute, digest, algorithm, type, *document));
     }
 
-    void expectIntegrity(const char* integrity, const char* script, const KURL& url, const String& mimeType = String())
+    void expectIntegrity(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String())
     {
         scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);
-        EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType));
+        EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType, *createTestResource(url, requestorUrl).get()));
     }
 
-    void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const String& mimeType = String())
+    void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String())
     {
         scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);
-        EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType));
+        EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType, *createTestResource(url, requestorUrl).get()));
+    }
+
+    ResourcePtr<Resource> createTestResource(const KURL& url, const KURL& allowOriginUrl)
+    {
+        OwnPtr<ResourceResponse> response = adoptPtr(new ResourceResponse);
+        response->setURL(url);
+        response->setHTTPStatusCode(200);
+        response->setHTTPHeaderField("access-control-allow-origin", SecurityOrigin::create(allowOriginUrl)->toAtomicString());

[Mike West, 2015/03/06 03:19:37]

It would be nice if this bit was parameterized; right now you're testing that
CORS headers allow a resource to be integrity-checked cross-origin, but you're
not yet verifying that lacking CORS headers blocks integrity checking.

[jww, 2015/03/06 08:24:21]

Done.

+        response->setHTTPHeaderField("access-control-allow-credentials", "true");
+        ResourcePtr<Resource> resource = new Resource(ResourceRequest(response->url()), Resource::Raw);
+        resource->setResponse(*response);
+        return resource;
     }
 
     KURL secureURL;
@@ -273,15 +287,15 @@ TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin)
     document->updateSecurityOrigin(secureOrigin->isolatedCopy());
 
     // Verify basic sha256, sha384, and sha512 integrity checks.
-    expectIntegrity(kSha256Integrity, kBasicScript, secureURL);
-    expectIntegrity(kSha384Integrity, kBasicScript, secureURL);
-    expectIntegrity(kSha512Integrity, kBasicScript, secureURL);
+    expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL);
+    expectIntegrity(kSha384Integrity, kBasicScript, secureURL, secureURL);
+    expectIntegrity(kSha512Integrity, kBasicScript, secureURL, secureURL);
 
     // The hash label must match the hash value.
-    expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL);
+    expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL, secureURL);
 
     // Unsupported hash functions should fail.
-    expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL);
+    expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, secureURL);
 }
 
 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin)
@@ -289,11 +303,11 @@ TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin)
     // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass here.
     document->updateSecurityOrigin(insecureOrigin->isolatedCopy());
 
-    expectIntegrity(kSha256Integrity, kBasicScript, secureURL);
-    expectIntegrity(kSha384Integrity, kBasicScript, secureURL);
-    expectIntegrity(kSha512Integrity, kBasicScript, secureURL);
-    expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL);
-    expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL);
+    expectIntegrity(kSha256Integrity, kBasicScript, secureURL, insecureURL);
+    expectIntegrity(kSha384Integrity, kBasicScript, secureURL, insecureURL);
+    expectIntegrity(kSha512Integrity, kBasicScript, secureURL, insecureURL);
+    expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL, insecureURL);
+    expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, insecureURL);
 }
 
 } // namespace blink