path.window.js (3943B)
1 // META: script=helper.js 2 3 // The following tests validate the behavior of the `@path` derived component. 4 // They'll all be rooted in the following response, generated using the steps at 5 // https://wicg.github.io/signature-based-sri/#examples, relying on the test 6 // key from https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key: 7 // 8 // ``` 9 // NOTE: '\' line wrapping per RFC 8792 10 // 11 // HTTP/1.1 200 OK 12 // Date: Tue, 20 Apr 2021 02:07:56 GMT 13 // Content-Type: application/json 14 // Unencoded-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=: 15 // Content-Length: 18 16 // Signature-Input: signature=("unencoded-digest";sf "@path";req); \ 17 // keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs="; \ 18 // tag="sri" 19 // Signature: signature=:oVQ+s/OqXLAVdfvgZ3HaPiyzkpNXZSit9l6e1FB/gOOL3t8FOrIRDV \ 20 // CkcIEcJjd3MA1mROn39/WQShTmnKmlDg==: 21 // 22 // 23 // {"hello": "world"} 24 // ``` 25 26 // Metadata from the response above: 27 const kRequestsWithValidSignature = [ 28 // `unencoded-digest` then `@path`, with the following signature base: 29 // 30 // ``` 31 // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=: 32 // "@path";req: /subresource-integrity/signatures/resource.py 33 // "@signature-params": ("unencoded-digest";sf "@path";req);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri" 34 // ``` 35 { 36 body: "window.hello = `world`;", 37 digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:", 38 signature: `signature=:+sRkplliS3TanqASHirBTokxhOn6fRTodc7i6Q6PUMsSPP0RJ2Xdb/woWz0+JXaBXAfa55qj+N9paXP5j7DFCw==:`, 39 signatureInput: `signature=("unencoded-digest";sf "@path";req);keyid="${kValidKeys['rfc']}";tag="sri"` 40 }, 41 // `@path` then `unencoded-digest`, with the following signature base: 42 // 43 // ``` 44 // "@path";req: /subresource-integrity/signatures/resource.py 45 // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=: 46 // "@signature-params": ("@path";req "unencoded-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri" 47 // ``` 48 { 49 body: "window.hello = `world`;", 50 digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:", 51 signature: `signature=:YPH2/cRdbR+DPhb1hVG1BgwCpzPLECsAyBavmb7QaXtCF1Hx2QyYp0ki1mi7UftMOnLVpBJdfdLb99Nzf0XqDg==:`, 52 signatureInput: `signature=("@path";req "unencoded-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"` 53 } 54 ]; 55 56 // Valid signatures depend upon integrity checks. 57 // 58 // We're testing our handling of malformed and multiple keys generally in 59 // `fetch.any.js` and `script.window.js`. Here we'll just focus on ensuring 60 // that responses with `@path` components load at all (no integrity check), 61 // load when integrity checks match, and fail when integrity checks mismatch. 62 for (const request of kRequestsWithValidSignature) { 63 // fetch(): 64 generate_fetch_test(request, {}, EXPECT_LOADED, 65 `Valid signature (${request.signature}), no integrity check: loads.`); 66 67 generate_fetch_test(request, {integrity:`ed25519-${kValidKeys['rfc']}`}, EXPECT_LOADED, 68 `Valid signature (${request.signature}), matching integrity check: loads.`); 69 70 generate_fetch_test(request, {integrity:`ed25519-${kInvalidKey}`}, EXPECT_BLOCKED, 71 `Valid signature (${request.signature}), mismatched integrity check: blocked.`); 72 73 // <script>: 74 generate_script_test(request, "", EXPECT_LOADED, 75 `Valid signature (${request.signature}), no integrity check: loads.`); 76 generate_script_test(request, `ed25519-${kValidKeys['rfc']}`, EXPECT_LOADED, 77 `Valid signature (${request.signature}), matching integrity check: loads.`); 78 generate_script_test(request, `ed25519-${kInvalidKey}`, EXPECT_BLOCKED, 79 `Valid signature (${request.signature}), mismatched integrity check: blocked.`); 80 }