tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

client-initiated.cross-origin.window.js (7601B)

      1 // META: script=/common/get-host-info.sub.js
      2 // META: script=helper.js
      3 
      4 // A canonically validly signed response, generated using the steps at
      5 // https://wicg.github.io/signature-based-sri/#examples, relying on the test
      6 // key from https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key:
      7 //
      8 // ```
      9 // NOTE: '\' line wrapping per RFC 8792
     10 //
     11 // HTTP/1.1 200 OK
     12 // Date: Tue, 20 Apr 2021 02:07:56 GMT
     13 // Content-Type: application/json
     14 // Unencoded-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
     15 // Content-Length: 18
     16 // Signature-Input: signature=("unencoded-digest";sf); \
     17 //                  keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs="; \
     18 //                  tag="sri"
     19 // Signature: signature=:TUznBT2ikFq6VrtoZeC5znRtZugu1U8OHJWoBkOLDTJA2FglSR34Q \
     20 //                       Y9j+BwN79PT4H0p8aIosnv4rXSKfIZVDA==:
     21 //
     22 // {"hello": "world"}
     23 // ```
     24 
     25 
     26 // Unsigned responses are blocked when integrity is asserted:
     27 generate_fetch_test({},
     28                    {
     29                      origin: get_host_info().REMOTE_ORIGIN,
     30                      integrity: `ed25519-${kValidKeys['rfc']}`,
     31                    },
     32                    EXPECT_BLOCKED,
     33                    "No signature, valid integrity check, w/o cors: blocked.");
     34 generate_fetch_test({ cors: true },
     35                    {
     36                      origin: get_host_info().REMOTE_ORIGIN,
     37                      mode: 'cors',
     38                      integrity: `ed25519-${kValidKeys['rfc']}`,
     39                    },
     40                    EXPECT_BLOCKED,
     41                    "No signature, valid integrity check, w/ cors: blocked.");
     42 
     43 // Valid signatures depend upon integrity checks and CORS status.
     44 //
     45 // Valid signature, no cors: all blocked.
     46 const kRequestWithValidSignature = {
     47  body: `{"hello": "world"}`,
     48  digest: `sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:`,
     49  signature: `signature=:gHim9e5Pk2H7c9BStOmxSmkyc8+ioZgoxynu3d4INAT4dwfj5LhvaV9DFnEQ9p7C0hzW4o4Qpkm5aApd6WLLCw==:`,
     50  signatureInput: `signature=("unencoded-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`
     51 };
     52 generate_fetch_test(kRequestWithValidSignature,
     53                    {
     54                      origin: get_host_info().REMOTE_ORIGIN,
     55                      integrity: `ed25519-${kValidKeys['rfc']}`,
     56                    },
     57                    EXPECT_BLOCKED,
     58                    "Valid signature, matching integrity check, no cors: blocked.");
     59 
     60 generate_fetch_test(kRequestWithValidSignature,
     61                    {
     62                      origin: get_host_info().REMOTE_ORIGIN,
     63                      integrity: `ed25519-${kInvalidKey}`,
     64                    },
     65                    EXPECT_BLOCKED,
     66                    "Valid signature, mismatched integrity check, no cors: blocked.");
     67 
     68 generate_fetch_test(kRequestWithValidSignature,
     69                    {
     70                      origin: get_host_info().REMOTE_ORIGIN,
     71                      integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`
     72                    },
     73                    EXPECT_BLOCKED,
     74                    "Valid signature, one valid integrity check, no cors: loads.");
     75 
     76 // Valid signature, CORS: depends on integrity check.
     77 const kRequestWithValidSignatureAndCORS = {
     78  body: kRequestWithValidSignature['body'],
     79  digest: kRequestWithValidSignature['digest'],
     80  signature: kRequestWithValidSignature['signature'],
     81  signatureInput: kRequestWithValidSignature['signatureInput'],
     82  cors: true,
     83 };
     84 generate_fetch_test(kRequestWithValidSignatureAndCORS,
     85                    {
     86                      origin: get_host_info().REMOTE_ORIGIN,
     87                      mode: "cors",
     88                      integrity: `ed25519-${kValidKeys['rfc']}`,
     89                    },
     90                    EXPECT_LOADED,
     91                    "Valid signature, matching integrity check, cors: loads.");
     92 
     93 generate_fetch_test(kRequestWithValidSignatureAndCORS,
     94                    {
     95                      origin: get_host_info().REMOTE_ORIGIN,
     96                      mode: "cors",
     97                      integrity: `ed25519-${kInvalidKey}`,
     98                    },
     99                    EXPECT_BLOCKED,
    100                    "Valid signature, mismatched integrity check, cors: blocked.");
    101 
    102 generate_fetch_test(kRequestWithValidSignatureAndCORS,
    103                    {
    104                      origin: get_host_info().REMOTE_ORIGIN,
    105                      mode: "cors",
    106                      integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`
    107                    },
    108                    EXPECT_LOADED,
    109                    "Valid signature, one valid integrity check, cors: loads.");
    110 
    111 
    112 // Invalid signatures, cors or no cors, are all blocked.
    113 const kRequestWithInvalidSignature = {
    114  body: `{"hello": "world"}`,
    115  digest: `sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:`,
    116  signature: `signature=:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==:`,
    117  signatureInput: `signature=("unencoded-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`
    118 };
    119 generate_fetch_test(kRequestWithInvalidSignature,
    120                    {
    121                      origin: get_host_info().REMOTE_ORIGIN,
    122                      integrity: `ed25519-${kValidKeys['rfc']}`,
    123                    },
    124                    EXPECT_BLOCKED,
    125                    "Invalid signature, matching integrity check, no cors: blocked.");
    126 
    127 generate_fetch_test(kRequestWithInvalidSignature,
    128                    {
    129                      origin: get_host_info().REMOTE_ORIGIN,
    130                      integrity: `ed25519-${kInvalidKey}`,
    131                    },
    132                    EXPECT_BLOCKED,
    133                    "Invalid signature, mismatched integrity check, no cors: blocked.");
    134 
    135 generate_fetch_test(kRequestWithInvalidSignature,
    136                    {
    137                      origin: get_host_info().REMOTE_ORIGIN,
    138                      integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`
    139                    },
    140                    EXPECT_BLOCKED,
    141                    "Invalid signature, one valid integrity check, no cors: loads.");
    142 
    143 const kRequestWithInvalidSignatureAndCORS = {
    144  body: `{"hello": "world"}`,
    145  digest: `sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:`,
    146  signature: `signature=:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==:`,
    147  signatureInput: `signature=("unencoded-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`,
    148  cors: true
    149 };
    150 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
    151                    {
    152                      origin: get_host_info().REMOTE_ORIGIN,
    153                      integrity: `ed25519-${kValidKeys['rfc']}`,
    154                      mode: "cors",
    155                    },
    156                    EXPECT_BLOCKED,
    157                    "Invalid signature, matching integrity check, cors: blocked.");
    158 
    159 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
    160                    {
    161                      origin: get_host_info().REMOTE_ORIGIN,
    162                      integrity: `ed25519-${kInvalidKey}`,
    163                      mode: "cors",
    164                    },
    165                    EXPECT_BLOCKED,
    166                    "Invalid signature, mismatched integrity check, cors: blocked.");
    167 
    168 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
    169                    {
    170                      origin: get_host_info().REMOTE_ORIGIN,
    171                      integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`,
    172                      mode: "cors",
    173                    },
    174                    EXPECT_BLOCKED,
    175                    "Invalid signature, one valid integrity check, cors: loads.");