tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

scripthash-unicode-normalization.sub.html (2780B)

      1 <!DOCTYPE html>
      2 <html>
      3 
      4 <head>
      5    <!-- Programmatically converted from a WebKit Reftest, please forgive resulting idiosyncracies.-->
      6    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-nonceynonce' 'sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c='; connect-src 'self';">
      7    <title>scripthash-unicode-normalization</title>
      8    <script src="/resources/testharness.js"></script>
      9    <script src="/resources/testharnessreport.js"></script>
     10    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
     11 </head>
     12 
     13 <body>
     14    <!-- The following two scripts contain two separate code points (U+00C5
     15        and U+212B, respectively) which, depending on your text editor, might be
     16        rendered the same.However, their difference is important because, under
     17        NFC normalization, they would become the same code point, which would be
     18        against the spec. This test, therefore, validates that the scripts have
     19        *different* hash values. -->
     20    <script nonce="nonceynonce">
     21      var t_spv = async_test("Should fire securitypolicyviolation");
     22      window.addEventListener('securitypolicyviolation', t_spv.step_func_done(function(e) {
     23          assert_equals(e.violatedDirective, "script-src-elem");
     24      }));
     25 
     26      var matchingContent = 'Å';
     27      var nonMatchingContent = 'Å';
     28 
     29      // This script should have a hash value of
     30      // sha256-9UFeeZbvnMa0tLNu76v96T4Hh+UtDWHm2lPQJoTWb9c=
     31      var scriptContent1 = "window.finish('" + matchingContent + "');";
     32 
     33      // This script should have a hash value of
     34      // sha256-iNjjXUXds31FFvkAmbC74Sxnvreug3PzGtu16udQyqM=
     35      var scriptContent2 = "window.finish('" + nonMatchingContent + "');";
     36 
     37      var script1 = document.createElement('script');
     38      var script2 = document.createElement('script');
     39 
     40      script1.test = async_test("Only matching content runs even with NFC normalization.");
     41 
     42      var failure = function() {
     43        assert_unreached();
     44      }
     45 
     46      window.finish = function(content) {
     47        if (content == matchingContent) {
     48          script1.test.step(function() {
     49            script1.test.done();
     50          });
     51        } else {
     52          script1.test.step(function() {
     53            assert_unreached("nonMatchingContent script ran");
     54          });
     55        }
     56      }
     57 
     58      script1.onerror = failure;
     59 
     60      document.body.appendChild(script2);
     61      script2.textContent = scriptContent2;
     62      document.body.appendChild(script1);
     63      script1.textContent = scriptContent1;
     64    </script>
     65 
     66    <p>
     67        This tests Unicode normalization. While appearing the same, the strings in the scripts are different Unicode points, but through normalization, should be the same when the hash is taken.
     68    </p>
     69    <div id="log"></div>
     70 </body>
     71 
     72 </html>