iframe_script_sameorigin.html (9914B)
1 <!DOCTYPE HTML> 2 <!-- Any copyright is dedicated to the Public Domain. 3 http://creativecommons.org/publicdomain/zero/1.0/ --> 4 <html> 5 <head> 6 <script src="/tests/SimpleTest/SimpleTest.js"></script> 7 <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> 8 <script type="application/javascript"> 9 SimpleTest.waitForExplicitFinish(); 10 window.onload = function() { 11 SimpleTest.finish(); 12 } 13 </script> 14 <script> 15 function good_correctHashLoaded() { 16 ok(true, "A script was correctly loaded when integrity matched") 17 } 18 function bad_correctHashBlocked() { 19 ok(false, "We should load scripts with hashes that match!"); 20 } 21 22 function good_correctHashArrayLoaded() { 23 ok(true, "A script was correctly loaded when one of the hashes in the integrity attribute matched") 24 } 25 function bad_correctHashArrayBlocked() { 26 ok(false, "We should load scripts with at least one hash that match!"); 27 } 28 29 function good_emptyIntegrityLoaded() { 30 ok(true, "A script was correctly loaded when the integrity attribute was empty") 31 } 32 function bad_emptyIntegrityBlocked() { 33 ok(false, "We should load scripts with empty integrity attributes!"); 34 } 35 36 function good_whitespaceIntegrityLoaded() { 37 ok(true, "A script was correctly loaded when the integrity attribute only contained whitespace") 38 } 39 function bad_whitespaceIntegrityBlocked() { 40 ok(false, "We should load scripts with integrity attributes containing only whitespace!"); 41 } 42 43 function good_incorrectHashBlocked() { 44 ok(true, "A script was correctly blocked, because the hash digest was wrong"); 45 } 46 function bad_incorrectHashLoaded() { 47 ok(false, "We should not load scripts with hashes that do not match the content!"); 48 } 49 50 function good_incorrectHashArrayBlocked() { 51 ok(true, "A script was correctly blocked, because all the hashes were wrong"); 52 } 53 function bad_incorrectHashArrayLoaded() { 54 ok(false, "We should not load scripts when none of the hashes match the content!"); 55 } 56 57 function good_incorrectHashLengthBlocked() { 58 ok(true, "A script was correctly blocked, because the hash length was wrong"); 59 } 60 function bad_incorrectHashLengthLoaded() { 61 ok(false, "We should not load scripts with hashes that don't have the right length!"); 62 } 63 64 function bad_incorrectHashFunctionBlocked() { 65 ok(false, "We should load scripts with invalid/unsupported hash functions!"); 66 } 67 function good_incorrectHashFunctionLoaded() { 68 ok(true, "A script was correctly loaded, despite the hash function being invalid/unsupported."); 69 } 70 71 function bad_missingHashFunctionBlocked() { 72 ok(false, "We should load scripts with missing hash functions!"); 73 } 74 function good_missingHashFunctionLoaded() { 75 ok(true, "A script was correctly loaded, despite a missing hash function."); 76 } 77 78 function bad_missingHashValueBlocked() { 79 ok(false, "We should load scripts with missing hash digests!"); 80 } 81 function good_missingHashValueLoaded() { 82 ok(true, "A script was correctly loaded, despite the missing hash digest."); 83 } 84 85 function good_401Blocked() { 86 ok(true, "A script was not loaded because of 401 response."); 87 } 88 function bad_401Loaded() { 89 ok(false, "We should nt load scripts with a 401 response!"); 90 } 91 92 function good_valid302Loaded() { 93 ok(true, "A script was loaded successfully despite a 302 response."); 94 } 95 function bad_valid302Blocked() { 96 ok(false, "We should load scripts with a 302 response and the right hash!"); 97 } 98 99 function good_invalid302Blocked() { 100 ok(true, "A script was blocked successfully after a 302 response."); 101 } 102 function bad_invalid302Loaded() { 103 ok(false, "We should not load scripts with a 302 response and the wrong hash!"); 104 } 105 106 function good_validBlobLoaded() { 107 ok(true, "A script was loaded successfully from a blob: URL."); 108 } 109 function bad_validBlobBlocked() { 110 ok(false, "We should load scripts using blob: URLs with the right hash!"); 111 } 112 113 function good_invalidBlobBlocked() { 114 ok(true, "A script was blocked successfully from a blob: URL."); 115 } 116 function bad_invalidBlobLoaded() { 117 ok(false, "We should not load scripts using blob: URLs with the wrong hash!"); 118 } 119 </script> 120 </head> 121 <body> 122 <!-- valid hash. should trigger onload --> 123 <!-- the hash value comes from running this command: 124 cat script.js | openssl dgst -sha256 -binary | openssl enc -base64 -A 125 --> 126 <script src="script.js" 127 integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" 128 onerror="bad_correctHashBlocked()" 129 onload="good_correctHashLoaded()"></script> 130 131 <!-- valid sha512 hash. should trigger onload --> 132 <script src="script.js" 133 integrity="sha512-mzSqH+vC6qrXX46JX2WEZ0FtY/lGj/5+5yYCBlk0jfYHLm0vP6XgsURbq83mwMApsnwbDLXdgjp5J8E93GT6Mw==?ignore=this" 134 onerror="bad_correctHashBlocked()" 135 onload="good_correctHashLoaded()"></script> 136 137 <!-- one valid sha256 hash. should trigger onload --> 138 <script src="script.js" 139 integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" 140 onerror="bad_correctHashArrayBlocked()" 141 onload="good_correctHashArrayLoaded()"></script> 142 143 <!-- empty integrity. should trigger onload --> 144 <script src="script.js" 145 integrity="" 146 onerror="bad_emptyIntegrityBlocked()" 147 onload="good_emptyIntegrityLoaded()"></script> 148 149 <!-- whitespace integrity. should trigger onload --> 150 <script src="script.js" 151 integrity=" 152 153 " 154 onerror="bad_whitespaceIntegrityBlocked()" 155 onload="good_whitespaceIntegrityLoaded()"></script> 156 157 <!-- invalid sha256 hash but valid sha384 hash. should trigger onload --> 158 <script src="script.js" 159 integrity="sha256-bogus sha384-zDCkvKOHXk8mM6Nk07oOGXGME17PA4+ydFw+hq0r9kgF6ZDYFWK3fLGPEy7FoOAo?" 160 onerror="bad_correctHashBlocked()" 161 onload="good_correctHashLoaded()"></script> 162 163 <!-- valid sha256 and invalid sha384. should trigger onerror --> 164 <script src="script.js" 165 integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha384-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" 166 onerror="good_incorrectHashLengthBlocked()" 167 onload="bad_incorrectHashLengthLoaded()"></script> 168 169 <!-- invalid hash. should trigger onerror --> 170 <script src="script.js" 171 integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" 172 onerror="good_incorrectHashBlocked()" 173 onload="bad_incorrectHashLoaded()"></script> 174 175 <!-- invalid hashes. should trigger onerror --> 176 <script src="script.js" 177 integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-ZkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-zkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" 178 onerror="good_incorrectHashBlocked()" 179 onload="bad_incorrectHashLoaded()"></script> 180 181 <!-- invalid hash function. should trigger onload --> 182 <script src="script.js" 183 integrity="rot13-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" 184 onerror="bad_incorrectHashFunctionBlocked()" 185 onload="good_incorrectHashFunctionLoaded()"></script> 186 187 <!-- missing hash function. should trigger onload --> 188 <script src="script.js" 189 integrity="RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" 190 onerror="bad_missingHashFunctionBlocked()" 191 onload="good_missingHashFunctionLoaded()"></script> 192 193 <!-- missing hash value. should trigger onload --> 194 <script src="script.js" 195 integrity="sha512-" 196 onerror="bad_missingHashValueBlocked()" 197 onload="good_missingHashValueLoaded()"></script> 198 199 <!-- 401 response. should trigger onerror --> 200 <script src="script_401.js" 201 integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" 202 onerror="good_401Blocked()" 203 onload="bad_401Loaded()"></script> 204 205 <!-- valid sha256 after a redirection. should trigger onload --> 206 <script src="script_302.js" 207 integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA=" 208 onerror="bad_valid302Blocked()" 209 onload="good_valid302Loaded()"></script> 210 211 <!-- invalid sha256 after a redirection. should trigger onerror --> 212 <script src="script_302.js" 213 integrity="sha256-JSi74NSN8WQNr9syBGmNg2APJp9PnHUO5ioZo5hmIiQ=" 214 onerror="good_invalid302Blocked()" 215 onload="bad_invalid302Loaded()"></script> 216 217 <!-- valid sha256 for a blob: URL --> 218 <script> 219 var blob = new Blob(["console.log('blob:valid');"], 220 {type:"application/javascript"}); 221 var script = document.createElement('script'); 222 script.setAttribute('src', URL.createObjectURL(blob)); 223 script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ='); 224 script.onerror = bad_validBlobBlocked; 225 script.onload = good_validBlobLoaded; 226 var head = document.getElementsByTagName('head').item(0); 227 head.appendChild(script); 228 </script> 229 230 <!-- invalid sha256 for a blob: URL --> 231 <script> 232 var blob = new Blob(["console.log('blob:invalid');"], 233 {type:"application/javascript"}); 234 var script = document.createElement('script'); 235 script.setAttribute('src', URL.createObjectURL(blob)); 236 script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ='); 237 script.onerror = good_invalidBlobBlocked; 238 script.onload = bad_invalidBlobLoaded; 239 var head = document.getElementsByTagName('head').item(0); 240 head.appendChild(script); 241 </script> 242 243 <p id="display"></p> 244 <div id="content" style="display: none"> 245 </div> 246 <pre id="test"> 247 </pre> 248 </body> 249 </html>