tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

scheme.window.js (3292B)

      1 // META: script=/common/get-host-info.sub.js
      2 // META: script=helper.js
      3 
      4 // The following tests validate the behavior of the `@scheme` derived component.
      5 // They'll all be rooted in the following response, generated using the steps at
      6 // https://wicg.github.io/signature-based-sri/#examples, relying on the test
      7 // key from https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key:
      8 //
      9 // ```
     10 // NOTE: '\' line wrapping per RFC 8792
     11 //
     12 // HTTP/1.1 200 OK
     13 // Date: Tue, 20 Apr 2021 02:07:56 GMT
     14 // Content-Type: application/json
     15 // Unencoded-Digest: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
     16 // Content-Length: 18
     17 // Signature-Input: signature=("unencoded-digest";sf "@scheme";req); \
     18 //                  keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";       \
     19 //                  tag="sri"
     20 // Signature: signature=:oVQ+s/OqXLAVdfvgZ3HaPiyzkpNXZSit9l6e1FB/gOOL3t8FOrIRDV \
     21 //                       CkcIEcJjd3MA1mROn39/WQShTmnKmlDg==:
     22 //
     23 //
     24 // window.hello = `world`;
     25 // ```
     26 
     27 const test_cases = [
     28  // ```
     29  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
     30  // "@scheme";req: http
     31  // "@signature-params": ("unencoded-digest";sf "@scheme";req);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
     32  // ```
     33  {
     34    origin: get_host_info().HTTP_REMOTE_ORIGIN,
     35    signature: `signature=:WZp87p7X3ELfgIKL/qxsY/CT6XArMvZRaxcJ3uy1QklEcLf0c8tol2+W2pvaXX4jnd7hGevFVkzWE77rCOIzAA==:`,
     36  },
     37  // ```
     38  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
     39  // "@scheme";req: https
     40  // "@signature-params": ("unencoded-digest";sf "@scheme";req);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
     41  // ```
     42  {
     43    origin: get_host_info().HTTPS_REMOTE_ORIGIN,
     44    signature: `signature=:lMzR8lIXYG0Iz0MmTXcRTcBfNw6TgBAPfaNLAU1LzsxWC5dlez8SNe7aCW7avHTWKgaqTGBCMW1LgxkHlijgDA==:`,
     45  }
     46 ]
     47 
     48 // Valid signatures depend upon integrity checks.
     49 //
     50 // We're testing our handling of malformed and multiple keys generally in
     51 // the broader `client-initiated.*` tests. Here we'll just focus on ensuring
     52 // that responses with `@scheme` components load at all (no integrity check),
     53 // load when integrity checks match, and fail when integrity checks mismatch.
     54 for (const test_case of test_cases) {
     55    const request = {
     56      cors: true,
     57      body: "window.hello = `world`;",
     58      digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:",
     59      signatureInput: `signature=("unencoded-digest";sf "@scheme";req);keyid="${kValidKeys['rfc']}";tag="sri"`,
     60      signature: test_case.signature
     61    };
     62 
     63    // fetch():
     64    generate_fetch_test(request, {origin: test_case.origin}, EXPECT_LOADED,
     65                        `Valid signature (${request.signature}), no integrity check: loads.`);
     66    generate_fetch_test(request, {origin: test_case.origin,
     67                                  integrity:`ed25519-${kValidKeys['rfc']}`}, EXPECT_LOADED,
     68                        `Valid signature (${request.signature}), matching integrity check: loads.`);
     69 
     70    generate_fetch_test(request, {origin: test_case.origin,
     71                                  integrity:`ed25519-${kInvalidKey}`}, EXPECT_BLOCKED,
     72                        `Valid signature (${request.signature}), mismatched integrity check: blocked.`);
     73 }