tor-browser

The Tor Browser
git clone https://git.dasho.dev/tor-browser.git
Log | Files | Refs | README | LICENSE

status.window.js (4245B)

      1 // META: script=helper.js
      2 
      3 // The following tests validate the behavior of the `@status` derived component.
      4 // They'll all be rooted in the following response, generated using the steps at
      5 // https://wicg.github.io/signature-based-sri/#examples, relying on the test
      6 // key from https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key:
      7 //
      8 // ```
      9 // NOTE: '\' line wrapping per RFC 8792
     10 //
     11 // HTTP/1.1 200 OK
     12 // Date: Tue, 20 Apr 2021 02:07:56 GMT
     13 // Content-Type: application/json
     14 // Unencoded-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
     15 // Content-Length: 18
     16 // Signature-Input: signature=("unencoded-digest";sf "@status"); \
     17 //                  keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";       \
     18 //                  tag="sri"
     19 // Signature: signature=:oVQ+s/OqXLAVdfvgZ3HaPiyzkpNXZSit9l6e1FB/gOOL3t8FOrIRDV \
     20 //                       CkcIEcJjd3MA1mROn39/WQShTmnKmlDg==:
     21 //
     22 //
     23 // {"hello": "world"}
     24 // ```
     25 
     26 // Metadata from the response above:
     27 const kRequestsWithValidSignature = [
     28  // `unencoded-digest` then `@status`, with the following signature base:
     29  //
     30  // ```
     31  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
     32  // "@status": 200
     33  // "@signature-params": ("unencoded-digest";sf "@status");keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
     34  // ```
     35  {
     36    status: 200,
     37    body: "window.hello = `world`;",
     38    digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:",
     39    signature: `signature=:BRhRykdW61eK1iEf+ZU+Skf1ErVh8DhogWlPISe3iR7ITX4eryLZwaTAzjsoijRo79gGWnvC8ZIPJoZkByNeBw==:`,
     40    signatureInput: `signature=("unencoded-digest";sf "@status");keyid="${kValidKeys['rfc']}";tag="sri"`
     41  },
     42  {
     43    status: 201,
     44    body: "window.hello = `world`;",
     45    digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:",
     46    signature: `signature=:kc+2CFqbwZ2SP47sGCfiP1u/Q0E+1nZlVlSM3VALQz0JNCVcmUKpt4T0t+bXOYdJuTyK89FjJx/rxzDmgCO8BQ==:`,
     47    signatureInput: `signature=("unencoded-digest";sf "@status");keyid="${kValidKeys['rfc']}";tag="sri"`
     48  },
     49 
     50  // `@status` then `unencoded-digest`, with the following signature base:
     51  //
     52  // ```
     53  // "@status": 200
     54  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
     55  // "@signature-params": ("@status" "unencoded-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
     56  // ```
     57  {
     58    status: 200,
     59    body: "window.hello = `world`;",
     60    digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:",
     61    signature: `signature=:lHSkRZowLG6kbE9rG4dbe4VW59VGZaJtB/xFErBZKATtWRBTcF4T+Ye0A9yFiI65vgYL+ifVo6U3aZUu7pIUAw==:`,
     62    signatureInput: `signature=("@status" "unencoded-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri"`
     63  }
     64 ];
     65 
     66 // Valid signatures depend upon integrity checks.
     67 //
     68 // We're testing our handling of malformed and multiple keys generally in
     69 // the broader `client-initiated.*` tests. Here we'll just focus on ensuring
     70 // that responses with `@status` components load at all (no integrity check),
     71 // load when integrity checks match, and fail when integrity checks mismatch.
     72 for (const request of kRequestsWithValidSignature) {
     73    // fetch():
     74    generate_fetch_test(request, {}, EXPECT_LOADED,
     75                        `Valid signature (${request.signature}), no integrity check: loads.`);
     76    generate_fetch_test(request, {integrity:`ed25519-${kValidKeys['rfc']}`}, EXPECT_LOADED,
     77                        `Valid signature (${request.signature}), matching integrity check: loads.`);
     78 
     79    generate_fetch_test(request, {integrity:`ed25519-${kInvalidKey}`}, EXPECT_BLOCKED,
     80                        `Valid signature (${request.signature}), mismatched integrity check: blocked.`);
     81 
     82    // <script>:
     83    generate_script_test(request, "", EXPECT_LOADED,
     84                        `Valid signature (${request.signature}), no integrity check: loads.`);
     85    generate_script_test(request, `ed25519-${kValidKeys['rfc']}`, EXPECT_LOADED,
     86                        `Valid signature (${request.signature}), matching integrity check: loads.`);
     87    generate_script_test(request, `ed25519-${kInvalidKey}`, EXPECT_BLOCKED,
     88                        `Valid signature (${request.signature}), mismatched integrity check: blocked.`);
     89 }