tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

signature.https.html (2363B)

      1 <!doctype html>
      2 <script src="/resources/testharness.js"></script>
      3 <script src="/resources/testharnessreport.js"></script>
      4 <script src="/common/dispatcher/dispatcher.js"></script>
      5 <script src="/common/utils.js"></script>
      6 <script src="/reporting/resources/report-helper.js"></script>
      7 
      8 <body>
      9 <script>
     10  promise_test(async () => {
     11    // Generated using https://sha2.it/ed25519.html in a browser that supports Signature-Based SRI (e.g. Chrome 136+, with Experimental Web Platform Features enabled)
     12    const signature = encodeURIComponent(
     13      'header(Unencoded-Digest, sha-384=:tqyFpeo21WFM8HDeUtLqH20GUq\/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak:)' +
     14      '|header(Signature-Input, signature=\\("unencoded-digest";sf\\); keyid="JrQLj5P\/89iXES9+vFgrIy29clF9CC\/oPPsw3c5D0bs="; tag="sri")' +
     15      '|header(Signature, signature=:qM19uLskHm2TQG5LJcH/hY0n0BWWzYOJztVWYlwk0cZb3u0JdgUMre1J4Jn8Tma0x2u5/kPBfbXRMbB+X+vTBw==:)');
     16 
     17    const REMOTE_EXECUTOR =
     18      `/common/dispatcher/remote-executor.html`;
     19    const iframe_uuid = token();
     20 
     21    let header =
     22      `header(Integrity-Policy,blocked-destinations=\\(script\\)\\, endpoints=\\(integrity-endpoint-1 integrity-endpoint-2\\))`;
     23    header +=
     24      `|header(Integrity-Policy-Report-Only,blocked-destinations=\\(script\\)\\, endpoints=\\(integrity-endpoint-3\\))`;
     25    const params = new URLSearchParams();
     26    params.set('uuid', iframe_uuid);
     27    params.set('pipe', header);
     28 
     29    const iframe = document.createElement('iframe');
     30    iframe.src = `${REMOTE_EXECUTOR}?${params}`;
     31    document.body.appendChild(iframe);
     32 
     33    // Execute code directly from the iframe.
     34    const ctx = new RemoteContext(iframe_uuid);
     35    const result = await ctx.execute_script(async (signature) => {
     36      window.ran = false;
     37      // Load the script
     38      await new Promise(resolve => {
     39        const script = document.createElement('script');
     40        script.crossOrigin="anonymous";
     41        script.integrity = "ed25519-JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";
     42        script.onload = resolve;
     43        script.onerror = resolve;
     44        script.src = "/content-security-policy/resources/ran.js?pipe=" + signature;
     45        document.body.appendChild(script);
     46      });
     47      return { ran: window.ran };
     48    }, [signature]);
     49    assert_equals(result.ran, true);
     50  }, "Ensure that a script with signature integrity runs");
     51 </script>