Recommit Enable SRI only for same origin and CORS content

Source/core/frame/SubresourceIntegrityTest.cpp

Index: Source/core/frame/SubresourceIntegrityTest.cpp
diff --git a/Source/core/frame/SubresourceIntegrityTest.cpp b/Source/core/frame/SubresourceIntegrityTest.cpp
index 560a37f5b76b8031a96c674f59c0863af545b0f0..ecfdeed38952f1c74298e5595e8d0ed55a8a2eec 100644
--- a/Source/core/frame/SubresourceIntegrityTest.cpp
+++ b/Source/core/frame/SubresourceIntegrityTest.cpp
@@ -7,6 +7,8 @@
 
 #include "core/HTMLNames.h"
 #include "core/dom/Document.h"
+#include "core/fetch/Resource.h"
+#include "core/fetch/ResourcePtr.h"
 #include "core/html/HTMLScriptElement.h"
 #include "platform/Crypto.h"
 #include "platform/weborigin/KURL.h"
@@ -136,16 +138,35 @@ protected:
         EXPECT_FALSE(SubresourceIntegrity::parseIntegrityAttribute(integrityAttribute, digest, algorithm, type, *document));
     }
 
-    void expectIntegrity(const char* integrity, const char* script, const KURL& url, const String& mimeType = String())
+    enum CorsStatus {
+        WithCors,
+        NoCors
+    };
+
+    void expectIntegrity(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String(), CorsStatus corsStatus = WithCors)
     {
         scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);
-        EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType));
+        EXPECT_TRUE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType, *createTestResource(url, requestorUrl, corsStatus).get()));
     }
 
-    void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const String& mimeType = String())
+    void expectIntegrityFailure(const char* integrity, const char* script, const KURL& url, const KURL& requestorUrl, const String& mimeType = String(), CorsStatus corsStatus = WithCors)
     {
         scriptElement->setAttribute(HTMLNames::integrityAttr, integrity);
-        EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType));
+        EXPECT_FALSE(SubresourceIntegrity::CheckSubresourceIntegrity(*scriptElement, script, url, mimeType, *createTestResource(url, requestorUrl, corsStatus).get()));
+    }
+
+    ResourcePtr<Resource> createTestResource(const KURL& url, const KURL& allowOriginUrl, CorsStatus corsStatus)
+    {
+        OwnPtr<ResourceResponse> response = adoptPtr(new ResourceResponse);
+        response->setURL(url);
+        response->setHTTPStatusCode(200);
+        if (corsStatus == WithCors) {
+            response->setHTTPHeaderField("access-control-allow-origin", SecurityOrigin::create(allowOriginUrl)->toAtomicString());
+            response->setHTTPHeaderField("access-control-allow-credentials", "true");
+        }
+        ResourcePtr<Resource> resource = new Resource(ResourceRequest(response->url()), Resource::Raw);
+        resource->setResponse(*response);
+        return resource;
     }
 
     KURL secureURL;
@@ -273,27 +294,37 @@ TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin)
     document->updateSecurityOrigin(secureOrigin->isolatedCopy());
 
     // Verify basic sha256, sha384, and sha512 integrity checks.
-    expectIntegrity(kSha256Integrity, kBasicScript, secureURL);
-    expectIntegrity(kSha384Integrity, kBasicScript, secureURL);
-    expectIntegrity(kSha512Integrity, kBasicScript, secureURL);
+    expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL);
+    expectIntegrity(kSha384Integrity, kBasicScript, secureURL, secureURL);
+    expectIntegrity(kSha512Integrity, kBasicScript, secureURL, secureURL);
 
     // The hash label must match the hash value.
-    expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL);
+    expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL, secureURL);
 
     // Unsupported hash functions should fail.
-    expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL);
+    expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, secureURL);
+
+    // All parameters are fine, and because this is not cross origin, CORS is
+    // not needed.
+    expectIntegrity(kSha256Integrity, kBasicScript, secureURL, secureURL, String(), NoCors);
 }
 
 TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin)
 {
-    // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass here.
+    // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass
+    // here, with the expection of the NoCors check at the end.
     document->updateSecurityOrigin(insecureOrigin->isolatedCopy());
 
-    expectIntegrity(kSha256Integrity, kBasicScript, secureURL);
-    expectIntegrity(kSha384Integrity, kBasicScript, secureURL);
-    expectIntegrity(kSha512Integrity, kBasicScript, secureURL);
-    expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL);
-    expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL);
+    expectIntegrity(kSha256Integrity, kBasicScript, secureURL, insecureURL);
+    expectIntegrity(kSha384Integrity, kBasicScript, secureURL, insecureURL);
+    expectIntegrity(kSha512Integrity, kBasicScript, secureURL, insecureURL);
+    expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL, insecureURL);
+    expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL, insecureURL);
+
+    // This check should fail because, unlike in the
+    // CheckSubresourceIntegirtyInSecureOrigin case, this is cross origin
+    // (secure origin requesting a resource on an insecure origin)
+    expectIntegrityFailure(kSha256Integrity, kBasicScript, secureURL, insecureURL, String(), NoCors);
 }
 
 } // namespace blink