signature.https.html

firefox-main/testing/web-platform/tests/subresource-integrity/integrity-policy/tentative/signature.https.html

Enable keyboard shortcuts

Source code

File a bug in Core :: DOM: Security

Revision control

Copy as Markdown

Other Tools

HG Web

Test Info: Warnings

This test has a WPT meta file that expects 1 subtest issues.
This WPT test may be referenced by the following Test IDs:
- /subresource-integrity/integrity-policy/tentative/signature.https.html - WPT Dashboard Interop Dashboard

<!doctype html>

<script src="/resources/testharness.js"></script>

<script src="/resources/testharnessreport.js"></script>

<script src="/common/dispatcher/dispatcher.js"></script>

<script src="/common/utils.js"></script>

<script src="/reporting/resources/report-helper.js"></script>

<body>

<script>

  promise_test(async () => {

    // Generated using https://sha2.it/ed25519.html in a browser that supports Signature-Based SRI

//

    // The response over which the digest is generated is `window.ran = true;\n`, and the "signature

    // base" is:

//

    // ```

    // "unencoded-digest";sf: sha-256=:JWql9hchAH1Rc/vo5mdgD2Tw1oSH1HlByNgKGDxSh9Y=:

    // "@signature-params": ("unencoded-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="ed25519-integrity"

    // ```

    const signature = encodeURIComponent(

      'header(Unencoded-Digest, sha-256=:JWql9hchAH1Rc/vo5mdgD2Tw1oSH1HlByNgKGDxSh9Y=:)' +

      '|header(Signature-Input, signature=\\("unencoded-digest";sf\\); keyid="JrQLj5P\/89iXES9+vFgrIy29clF9CC\/oPPsw3c5D0bs="; tag="ed25519-integrity")' +

      '|header(Signature, signature=:wst4wjY8b6fzAKf0bnxEHjbZnUnOB9v9DqXLZBFKiogHlLzEe2mELvhFAzCZrtKSy3gO5jRv6NzaLTUcYQWXAA==:)');

    const REMOTE_EXECUTOR =

      `/common/dispatcher/remote-executor.html`;

    const iframe_uuid = token();

    let header =

      `header(Integrity-Policy,blocked-destinations=\\(script\\)\\, endpoints=\\(integrity-endpoint-1 integrity-endpoint-2\\))`;

    header +=

      `|header(Integrity-Policy-Report-Only,blocked-destinations=\\(script\\)\\, endpoints=\\(integrity-endpoint-3\\))`;

    const params = new URLSearchParams();

    params.set('uuid', iframe_uuid);

    params.set('pipe', header);

    const iframe = document.createElement('iframe');

    iframe.src = `${REMOTE_EXECUTOR}?${params}`;

    document.body.appendChild(iframe);

    // Execute code directly from the iframe.

    const ctx = new RemoteContext(iframe_uuid);

    const result = await ctx.execute_script(async (signature) => {

      window.ran = false;

      // Load the script

      await new Promise(resolve => {

        const script = document.createElement('script');

        script.crossOrigin="anonymous";

        script.integrity = "ed25519-JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";

        script.onload = resolve;

        script.onerror = resolve;

        script.src = "/content-security-policy/resources/ran.js?pipe=" + signature;

        document.body.appendChild(script);

});

      return { ran: window.ran };

    }, [signature]);

    assert_equals(result.ran, true);

  }, "Ensure that a script with signature integrity runs");

</script>