tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

server-initiated.window.js (5052B)

      1 // META: script=/common/get-host-info.sub.js
      2 // META: script=helper.js
      3 
      4 // The following tests verify server-initiated integrity checks which validate
      5 // signatures even in the absence of integrity metadata asserted by the client.
      6 
      7 // A canonically validly signed response, generated using the steps at
      8 // https://wicg.github.io/signature-based-sri/#examples, relying on the test
      9 // key from https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key:
     10 //
     11 // ```
     12 // NOTE: '\' line wrapping per RFC 8792
     13 //
     14 // HTTP/1.1 200 OK
     15 // Date: Tue, 20 Apr 2021 02:07:56 GMT
     16 // Content-Type: application/json
     17 // Unencoded-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
     18 // Content-Length: 18
     19 // Signature-Input: signature=("unencoded-digest";sf); \
     20 //                  keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs="; \
     21 //                  tag="sri"
     22 // Signature: signature=:TUznBT2ikFq6VrtoZeC5znRtZugu1U8OHJWoBkOLDTJA2FglSR34Q \
     23 //                       Y9j+BwN79PT4H0p8aIosnv4rXSKfIZVDA==:
     24 //
     25 // {"hello": "world"}
     26 // ```
     27 
     28 // Valid metadata from the response above:
     29 const kRequestWithValidSignature = {
     30  body: `{"hello": "world"}`,
     31  digest: `sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:`,
     32  signature: `signature=:gHim9e5Pk2H7c9BStOmxSmkyc8+ioZgoxynu3d4INAT4dwfj5LhvaV9DFnEQ9p7C0hzW4o4Qpkm5aApd6WLLCw==:`,
     33  signatureInput: `signature=("unencoded-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`
     34 };
     35 generate_fetch_test(kRequestWithValidSignature,
     36                    {},
     37                    EXPECT_LOADED,
     38                    "Valid signature, same-origin: loads.");
     39 generate_fetch_test(kRequestWithValidSignature,
     40                    {
     41                      origin: get_host_info().REMOTE_ORIGIN,
     42                      mode: "cors",
     43                    },
     44                    EXPECT_BLOCKED,
     45                    "Valid signature, cross-origin w/o cors, cors: blocked (because of CORS).");
     46 
     47 // Valid metadata for a response sending CORS headers:
     48 const kRequestWithValidSignatureAndCORS = {
     49  body: kRequestWithValidSignature['body'],
     50  digest: kRequestWithValidSignature['digest'],
     51  signature: kRequestWithValidSignature['signature'],
     52  signatureInput: kRequestWithValidSignature['signatureInput'],
     53  cors: true,
     54 };
     55 generate_fetch_test(kRequestWithValidSignatureAndCORS,
     56                    {},
     57                    EXPECT_LOADED,
     58                    "Valid signature, same-origin w/ cors: loads.");
     59 generate_fetch_test(kRequestWithValidSignatureAndCORS,
     60                    {
     61                      origin: get_host_info().REMOTE_ORIGIN,
     62                      mode: "cors",
     63                    },
     64                    EXPECT_LOADED,
     65                    "Valid signature, cross-origin w/cors, mode: cors: loads.");
     66 
     67 // Incorrect signature, no cors:
     68 const kRequestWithInvalidSignature = {
     69  body: kRequestWithValidSignature['body'],
     70  digest: kRequestWithValidSignature['digest'],
     71  signature: `signature=:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==:`,
     72  signatureInput: kRequestWithValidSignature['signatureInput'],
     73 };
     74 generate_fetch_test(kRequestWithInvalidSignature,
     75                    {},
     76                    EXPECT_BLOCKED,
     77                    "Invalid signature, same-origin: blocked.");
     78 generate_fetch_test(kRequestWithInvalidSignature,
     79                    {
     80                      origin: get_host_info().REMOTE_ORIGIN,
     81                      mode: "no-cors",
     82                    },
     83                    EXPECT_BLOCKED,
     84                    "Invalid signature, cross-origin w/o cors, mode: no-cors: blocked.");
     85 generate_fetch_test(kRequestWithInvalidSignature,
     86                    {
     87                      origin: get_host_info().REMOTE_ORIGIN,
     88                      mode: "cors",
     89                    },
     90                    EXPECT_BLOCKED,
     91                    "Invalid signature, cross-origin w/o cors, cors: blocked.");
     92 
     93 // Incorrect signature, cors:
     94 const kRequestWithInvalidSignatureAndCORS = {
     95  body: kRequestWithValidSignature['body'],
     96  digest: kRequestWithValidSignature['digest'],
     97  signature: kRequestWithInvalidSignature['signature'],
     98  signatureInput: kRequestWithValidSignature['signatureInput'],
     99  cors: true,
    100 };
    101 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
    102                    {},
    103                    EXPECT_BLOCKED,
    104                    "Invalid signature, same-origin w/ cors: blocked.");
    105 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
    106                    {
    107                      origin: get_host_info().REMOTE_ORIGIN,
    108                      mode: "no-cors",
    109                    },
    110                    EXPECT_BLOCKED,
    111                    "Invalid signature, cross-origin w/ cors, mode: no-cors: blocked.");
    112 generate_fetch_test(kRequestWithInvalidSignatureAndCORS,
    113                    {
    114                      origin: get_host_info().REMOTE_ORIGIN,
    115                      mode: "cors",
    116                    },
    117                    EXPECT_BLOCKED,
    118                    "Invalid signature, cross-origin w/ cors, mode: cors: blocked.");