script-src-sri_hash.sub.html (4662B)
1 <!DOCTYPE HTML> 2 <html> 3 4 <head> 5 <title>External scripts with matching SRI hash should be allowed.</title> 6 <script src='/resources/testharness.js' nonce='dummy'></script> 7 <script src='/resources/testharnessreport.js' nonce='dummy'></script> 8 9 <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'ShA256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA==' --> 10 <!-- The domain here is intentionally served with `www`. In the event that the integrity check fails, 11 the request should be disallowed by the source list. If we were to use {{domains[]}}, 12 then we would not be able to observe the difference with regards to the integrity check --> 13 <!-- ShA256 is intentionally mixed case --> 14 </head> 15 16 <body> 17 <h1>External scripts with matching SRI hash should be allowed.</h1> 18 <div id='log'></div> 19 20 <script nonce='dummy'> 21 var port = "{{ports[http][0]}}"; 22 if (location.protocol === "https:") 23 port = "{{ports[https][0]}}"; 24 // Since {{domains[www]}} is allowed by the CSP policy, regardless of the integrity check 25 // the request would be allowed. 26 var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port; 27 28 // Test name, src, integrity, expected to run. 29 var test_cases = [ 30 [ 'matching integrity', 31 './simpleSourcedScript.js', 32 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=', 33 true ], 34 [ 'matching integrity (case-insensitive algorithm)', 35 './simpleSourcedScript.js', 36 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=', 37 true ], 38 [ 'multiple matching integrity', 39 './simpleSourcedScript.js', 40 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA==', 41 true ], 42 [ 'no integrity', 43 './simpleSourcedScript.js', 44 '', 45 false ], 46 [ 'matching plus unsupported integrity', 47 './simpleSourcedScript.js', 48 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz', 49 true ], 50 [ 'mismatched integrity', 51 './simpleSourcedScript.js', 52 'sha256-xyz', 53 false ], 54 [ 'multiple mismatched integrity', 55 './simpleSourcedScript.js', 56 'sha256-xyz sha256-zyx', 57 false ], 58 [ 'partially matching integrity', 59 './simpleSourcedScript.js', 60 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz', 61 false ], 62 [ 'crossorigin no integrity but allowed host', 63 crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js', 64 '', 65 true ], 66 [ 'crossorigin mismatched integrity but allowed host', 67 crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js', 68 'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=', 69 true ], 70 ]; 71 72 test(_ => { 73 for (item of test_cases) { 74 async_test(t => { 75 var s = document.createElement('script'); 76 s.id = item[0].replace(' ', '-'); 77 s.src = item[1]; 78 s.integrity = item[2]; 79 s.setAttribute('crossorigin', 'anonymous'); 80 81 if (item[3]) { 82 s.onerror = t.unreached_func("Script should load! " + s.src); 83 window.addEventListener('message', t.step_func(e => { 84 if (e.data == s.id) 85 t.done(); 86 })); 87 } else { 88 s.onerror = t.step_func_done(); 89 window.addEventListener('message', t.step_func(e => { 90 if (e.data == s.id) 91 assert_unreached("Script should not execute!"); 92 })); 93 } 94 95 document.body.appendChild(s); 96 }, item[0]); 97 } 98 }, "Load all the tests."); 99 </script> 100 101 <script nonce='dummy'> 102 var externalRan = false; 103 </script> 104 <script src='./externalScript.js' 105 integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script> 106 <script nonce='dummy'> 107 test(function() { 108 assert_true(externalRan, 'External script ran.'); 109 }, 'External script in a script tag with matching SRI hash should run.'); 110 </script> 111 112 </body> 113 114 </html>