client-initiated.same-origin.window.js (3929B)
1 // META: script=/common/get-host-info.sub.js 2 // META: script=helper.js 3 4 // A canonically validly signed response, generated using the steps at 5 // https://wicg.github.io/signature-based-sri/#examples, relying on the test 6 // key from https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key: 7 // 8 // ``` 9 // NOTE: '\' line wrapping per RFC 8792 10 // 11 // HTTP/1.1 200 OK 12 // Date: Tue, 20 Apr 2021 02:07:56 GMT 13 // Content-Type: application/json 14 // Unencoded-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=: 15 // Content-Length: 18 16 // Signature-Input: signature=("unencoded-digest";sf); \ 17 // keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs="; \ 18 // tag="sri" 19 // Signature: signature=:TUznBT2ikFq6VrtoZeC5znRtZugu1U8OHJWoBkOLDTJA2FglSR34Q \ 20 // Y9j+BwN79PT4H0p8aIosnv4rXSKfIZVDA==: 21 // 22 // {"hello": "world"} 23 // ``` 24 25 26 // Unsigned responses are blocked when integrity is asserted: 27 generate_fetch_test({}, 28 {integrity: `ed25519-!!!`}, 29 EXPECT_LOADED, 30 "No signature, malformed integrity check: loads."); 31 32 generate_fetch_test({}, 33 {integrity: `ed25519-${kValidKeys['rfc']}`}, 34 EXPECT_BLOCKED, 35 "No signature, valid integrity check: blocked."); 36 37 // Valid signatures depend upon integrity checks. 38 const kRequestWithValidSignature = { 39 body: `{"hello": "world"}`, 40 digest: `sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:`, 41 signature: `signature=:gHim9e5Pk2H7c9BStOmxSmkyc8+ioZgoxynu3d4INAT4dwfj5LhvaV9DFnEQ9p7C0hzW4o4Qpkm5aApd6WLLCw==:`, 42 signatureInput: `signature=("unencoded-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"` 43 }; 44 generate_fetch_test(kRequestWithValidSignature, 45 {integrity:"ed25519-???"}, 46 EXPECT_LOADED, 47 "Valid signature, malformed integrity check: loads."); 48 49 generate_fetch_test(kRequestWithValidSignature, 50 {integrity:`ed25519-${kValidKeys['rfc']}`}, 51 EXPECT_LOADED, 52 "Valid signature, matching integrity check: loads."); 53 54 generate_fetch_test(kRequestWithValidSignature, 55 {integrity:`ed25519-${kInvalidKey}`}, 56 EXPECT_BLOCKED, 57 "Valid signature, mismatched integrity check: blocked."); 58 59 generate_fetch_test(kRequestWithValidSignature, 60 {integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`}, 61 EXPECT_LOADED, 62 "Valid signature, one valid integrity check: loads."); 63 64 // Invalid signatures are all blocked. 65 const kRequestWithInvalidSignature = { 66 body: `{"hello": "world"}`, 67 digest: `sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:`, 68 signature: `signature=:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==:`, 69 signatureInput: `signature=("unencoded-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"` 70 }; 71 generate_fetch_test(kRequestWithInvalidSignature, 72 {integrity:"ed25519-???"}, 73 EXPECT_BLOCKED, 74 "Invalid signature, malformed integrity check: blocked."); 75 76 generate_fetch_test(kRequestWithInvalidSignature, 77 {integrity:`ed25519-${kValidKeys['rfc']}`}, 78 EXPECT_BLOCKED, 79 "Invalid signature, matching integrity check: blocked."); 80 81 generate_fetch_test(kRequestWithInvalidSignature, 82 {integrity:`ed25519-${kInvalidKey}`}, 83 EXPECT_BLOCKED, 84 "Invalid signature, mismatched integrity check: blocked."); 85 86 generate_fetch_test(kRequestWithInvalidSignature, 87 {integrity:`ed25519-${kValidKeys['rfc']} ed25519-${kInvalidKey}`}, 88 EXPECT_BLOCKED, 89 "Invalid signature, one valid integrity check: blocked.");