subresource-integrity.html (12709B)
1 <!DOCTYPE html> 2 <meta charset=utf-8> 3 <title>Subresource Integrity</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 <script src="/resources/sriharness.js"></script> 7 <script src="/common/utils.js"></script> 8 <script src="/subresource-integrity/sri-test-helpers.sub.js"></script> 9 <script src="./resources/preload_helper.js"></script> 10 11 12 <div id="log"></div> 13 14 <div id="container"></div> 15 <script> 16 // This is a list of information for each preload destination. The information 17 // is used in a loop iterating over the below tests, so that each test is run 18 // for each destination. 19 const preload_destination_info = [ 20 { 21 destination: 'script', ext: '.js', supports_sri: true, 22 sha256: 'sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA=', 23 sha384: 'sha384-cINXh+nCzEHPWzXS7eoT+vYMBpyqczOybRLNU3XAButFWCRhHT5hLByIbPRqIm2f', 24 sha512: 'sha512-KZdenhzBd7X7Q/vmaOSyvFz1CGdoVt26xzCZjlkU9lfBEK+V/ougGys7iYDi0+tOHIQSQa87bIqx95R7GU7I9Q==' 25 }, 26 { 27 destination: 'style', ext: '.css', supports_sri: true, 28 sha256: 'sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=', 29 sha384: 'sha384-wDAWxH4tOWBwAwHfBn9B7XuNmFxHTMeigAMwn0iVQ0zq3FtmYMLxihcGnU64CwcX', 30 sha512: 'sha512-9wXDjd6Wq3H6nPAhI9zOvG7mJkUr03MTxaO+8ztTKnfJif42laL93Be/IF6YYZHHF4esitVYxiwpY2HSZX4l6w==' 31 }, 32 { 33 destination: 'image', ext: '.png', supports_sri: false, 34 sha256: 'sha256-h7rQ5CQooD7qmTmrNxykCgjz3lDM1CBl2hkY1CTpB2I=', 35 sha384: 'sha384-DqrhF5pyW9u4FJsleRwjTAwKDSspQbxk9oux9BtcaANyji0kzpb7b4Cw3TM4MGNk', 36 sha512: 'sha512-wyY+ChJ1B5ovayDkbBeEv7nuHJ0uws14KoLyFSLKngFzHzm6VaTNA/ndx/Lnt/vPx6BN1cJB7+JNa4aAUGOlgg==' 37 }, 38 // TODO(domfarolino): Add more destinations. 39 ]; 40 41 for (const info of preload_destination_info) { 42 const {destination, ext, supports_sri, sha256, sha384, sha512} = info; 43 44 // Preload + Subresource Integrity tests. These tests work by passing some 45 // destination-specific information (defined in |preload_destination_info|) 46 // to the below tests, which do the following: 47 // Create a <link rel="preload"> for the given destination, with the 48 // specified `integrity`. After this has either loaded or failed to load, 49 // the subresource element corresponding to |destination| will be created, 50 // attempting to re-use the preloaded resource. `integrity` may be specified 51 // on the subresource elements that support SRI as well. The subresource 52 // will either load or fail to load, and the result will be compared with an 53 // expectation passed to the test. 54 SRIPreloadTest( 55 true, /* preload_sri_success */ 56 true, /* subresource_sri_success */ 57 `Same-origin ${destination} with correct sha256 hash.`, /* name */ 58 1, /* number_of_requests */ 59 destination, /* destination */ 60 same_origin_prefix + destination + ext + `?${token()}`, /* resource_url (for preload + subresource) */ 61 {integrity: sha256}, /* link_attrs */ 62 {} /* subresource_attrs */ 63 ) 64 65 SRIPreloadTest( 66 true, 67 true, 68 `Same-origin ${destination} with correct sha384 hash.`, 69 1, 70 destination, 71 same_origin_prefix + destination + ext + `?${token()}`, 72 {integrity: sha384}, 73 {} 74 ) 75 76 SRIPreloadTest( 77 true, 78 true, 79 `Same-origin ${destination} with correct sha512 hash.`, 80 1, 81 destination, 82 same_origin_prefix + destination + ext + `?${token()}`, 83 {integrity: sha512}, 84 {} 85 ) 86 87 SRIPreloadTest( 88 true, 89 true, 90 `Same-origin ${destination} with empty integrity.`, 91 1, 92 destination, 93 same_origin_prefix + destination + ext + `?${token()}`, 94 {}, 95 {} 96 ) 97 98 SRIPreloadTest( 99 false, 100 false, 101 `Same-origin ${destination} with incorrect hash.`, 102 1, 103 destination, 104 same_origin_prefix + destination + ext + `?${token()}`, 105 {integrity: "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"}, 106 {} 107 ) 108 109 SRIPreloadTest( 110 true, 111 true, 112 `Same-origin ${destination} with multiple sha256 hashes, including correct.`, 113 1, 114 destination, 115 same_origin_prefix + destination + ext + `?${token()}`, 116 {integrity: `${sha256} sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead`}, 117 {} 118 ) 119 120 SRIPreloadTest( 121 true, 122 true, 123 `Same-origin ${destination} with multiple sha256 hashes, including unknown algorithm.`, 124 1, 125 destination, 126 same_origin_prefix + destination + ext + `?${token()}`, 127 {integrity: `${sha256} foo666-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead`}, 128 {} 129 ) 130 131 SRIPreloadTest( 132 true, 133 true, 134 `Same-origin ${destination} with sha256 mismatch, sha512 match`, 135 1, 136 destination, 137 same_origin_prefix + destination + ext + `?${token()}`, 138 {integrity: `${sha512} sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead`}, 139 {} 140 ) 141 142 SRIPreloadTest( 143 false, 144 false, 145 `Same-origin ${destination} with sha256 match, sha512 mismatch`, 146 1, 147 destination, 148 same_origin_prefix + destination + ext + `?${token()}`, 149 {integrity: `sha512-deadbeefspbnUnwooKGNNCb39nvg+EW0O9hDScTXeo/9pVZztLSUYU3LNV6H0lZapo8bCJUpyPPLAzE9fDzpxg== ${sha256}`}, 150 {} 151 ) 152 153 SRIPreloadTest( 154 true, 155 true, 156 `<crossorigin='anonymous'> ${destination} with correct hash, ACAO: *`, 157 1, 158 destination, 159 xorigin_prefix + destination + ext + `?${token()}` + anonymous, 160 {integrity: sha256, crossOrigin: 'anonymous'}, 161 {crossOrigin: "anonymous"} 162 ) 163 164 SRIPreloadTest( 165 false, 166 false, 167 `<crossorigin='anonymous'> ${destination} with incorrect hash, ACAO: *`, 168 1, 169 destination, 170 xorigin_prefix + destination + ext + `?${token()}` + anonymous, 171 {integrity: "sha256-sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead", crossOrigin: "anonymous"}, 172 {crossOrigin: "anonymous"} 173 ) 174 175 SRIPreloadTest( 176 true, 177 true, 178 `<crossorigin='use-credentials'> ${destination} with correct hash, CORS-eligible`, 179 1, 180 destination, 181 xorigin_prefix + destination + ext + `?${token()}` + use_credentials, 182 {integrity: sha256, crossOrigin: "use-credentials"}, 183 {crossOrigin: "use-credentials"} 184 ) 185 186 SRIPreloadTest( 187 false, 188 false, 189 `<crossorigin='use-credentials'> ${destination} with incorrect hash CORS-eligible`, 190 1, 191 destination, 192 xorigin_prefix + destination + ext + `?${token()}` + use_credentials, 193 {integrity: "sha256-deadbeef2S+pTRZgiw3DWrhC6JLDlt2zRyGpwH7unU8=", crossOrigin: "use-credentials"}, 194 {crossOrigin: "use-credentials"} 195 ) 196 197 SRIPreloadTest( 198 false, 199 false, 200 `<crossorigin='anonymous'> ${destination} with CORS-ineligible resource`, 201 1, 202 destination, 203 // not piping ACAO header makes this CORS-ineligible 204 xorigin_prefix + destination + ext + `?${token()}`, 205 {integrity: sha256, crossOrigin: "anonymous"}, 206 {crossOrigin: "anonymous"} 207 ) 208 209 SRIPreloadTest( 210 false, 211 false, 212 `Cross-origin ${destination}, not CORS request, with correct hash`, 213 1, 214 destination, 215 xorigin_prefix + destination + ext + `?${token()}` + anonymous, 216 {integrity: sha256}, 217 {} 218 ) 219 220 SRIPreloadTest( 221 false, 222 false, 223 `Cross-origin ${destination}, not CORS request, with hash mismatch`, 224 1, 225 destination, 226 xorigin_prefix + destination + ext + `?${token()}` + anonymous, 227 {integrity: "sha256-deadbeef01Y0yKSx3/UoIKtIY2UQ9+H8WGyyMuOWOC0="}, 228 {} 229 ) 230 231 SRIPreloadTest( 232 true, 233 true, 234 `Cross-origin ${destination}, empty integrity`, 235 1, 236 destination, 237 xorigin_prefix + destination + ext + `?${token()}` + anonymous, 238 {}, 239 {} 240 ) 241 242 SRIPreloadTest( 243 true, 244 true, 245 `Same-origin ${destination} with correct hash, options.`, 246 1, 247 destination, 248 same_origin_prefix + destination + ext + `?${token()}`, 249 {integrity: `${sha256}?foo=bar?spam=eggs`}, 250 {} 251 ) 252 253 SRIPreloadTest( 254 true, 255 true, 256 `Same-origin ${destination} with unknown algorithm only.`, 257 1, 258 destination, 259 same_origin_prefix + destination + ext + `?${token()}`, 260 {integrity: "foo666-8aBiAJl3ukQwSJ6eTs5wl6hGjnOtyXjcTRdAf89uIfY="}, 261 {} 262 ) 263 264 // The below tests are specific to subresource destinations that support 265 // SRI. See |supports_sri|. 266 if (supports_sri) { 267 268 SRIPreloadTest( 269 true, 270 true, 271 `Same-origin ${destination} with matching digest re-uses preload with matching digest.`, 272 1, 273 destination, 274 same_origin_prefix + destination + ext + `?${token()}`, 275 {integrity: sha256}, 276 {integrity: sha256} 277 ) 278 279 SRIPreloadTest( 280 true, 281 true, 282 `Same-origin ${destination} with matching digest re-uses preload with matching digest and options.`, 283 1, 284 destination, 285 same_origin_prefix + destination + ext + `?${token()}`, 286 {integrity: `${sha256}?dummy-option=value`}, 287 {integrity: sha256} 288 ) 289 290 SRIPreloadTest( 291 true, 292 false, 293 `Same-origin ${destination} with non-matching digest does not re-use preload with matching digest.`, 294 2, 295 destination, 296 same_origin_prefix + destination + ext + `?${token()}`, 297 {integrity: sha256}, 298 {integrity: "sha256-deadbeefQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="} 299 ) 300 301 SRIPreloadTest( 302 false, 303 true, 304 `Same-origin ${destination} with matching digest does not re-use preload with non-matching digest.`, 305 2, 306 destination, 307 same_origin_prefix + destination + ext + `?${token()}`, 308 {integrity: "sha256-deadbeefQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="}, 309 {integrity: sha256} 310 ) 311 312 SRIPreloadTest( 313 false, 314 false, 315 `Same-origin ${destination} with non-matching digest does not re-use preload with non-matching digest.`, 316 2, 317 destination, 318 same_origin_prefix + destination + ext + `?${token()}`, 319 {integrity: "sha256-deadbeefQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="}, 320 {integrity: "sha256-deaddeadbeefYHFvsYdWumweeFAw0hJDTFt9seErghA="} 321 ) 322 323 SRIPreloadTest( 324 true, 325 true, 326 `Same-origin ${destination} with matching digest does not reuse preload without digest.`, 327 2, 328 destination, 329 same_origin_prefix + destination + ext + `?${token()}`, 330 {}, 331 {integrity: sha256} 332 ) 333 334 SRIPreloadTest( 335 true, 336 true, 337 `Same-origin ${destination} with matching digest does not reuse preload with matching but stronger digest.`, 338 2, 339 destination, 340 same_origin_prefix + destination + ext + `?${token()}`, 341 {integrity: sha384}, 342 {integrity: sha256}, 343 ) 344 345 SRIPreloadTest( 346 true, 347 false, 348 `Same-origin ${destination} with wrong digest does not reuse preload with correct and stronger digest.`, 349 2, 350 destination, 351 same_origin_prefix + destination + ext + `?${token()}`, 352 {integrity: sha384}, 353 {integrity: "sha256-deadbeefQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="} 354 ) 355 356 SRIPreloadTest( 357 true, 358 true, 359 `Same-origin ${destination} with matching digest does not reuse preload with matching but weaker digest.`, 360 2, 361 destination, 362 same_origin_prefix + destination + ext + `?${token()}`, 363 {integrity: sha256}, 364 {integrity: sha384}, 365 ) 366 367 SRIPreloadTest( 368 true, 369 false, 370 `Same-origin ${destination} with non-matching digest reuses preload with no digest but fails.`, 371 2, 372 destination, 373 same_origin_prefix + destination + ext + `?${token()}`, 374 {}, 375 {integrity: "sha256-sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"}, 376 ) 377 378 } // if. 379 380 } // for-of. 381 </script>