Source code
Revision control
Copy as Markdown
Other Tools
Test Info: Warnings
- This test has a WPT meta file that expects 3 subtest issues.
- This WPT test may be referenced by the following Test IDs:
- /content-security-policy/tentative/require-sri-for/script.https.html - WPT Dashboard Interop Dashboard
<!doctype html>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<script src="/common/dispatcher/dispatcher.js"></script>
<script src="/common/utils.js"></script>
<script src="/common/get-host-info.sub.js"></script>
<body>
<script>
const {ORIGIN} = get_host_info();
const run_test = async (test_case) => {
promise_test(async () => {
const REMOTE_EXECUTOR =
`/common/dispatcher/remote-executor.html?pipe=`;
const iframe_uuid = token();
const csp_header = test_case.report_only ?
"header(Content-Security-Policy-Report-Only,require-sri-for 'script')" :
"header(Content-Security-Policy,require-sri-for 'script')";
const iframe_url = REMOTE_EXECUTOR + encodeURIComponent(csp_header);
const iframe = document.createElement('iframe');
iframe.src = iframe_url + `&uuid=${iframe_uuid}`;
document.body.appendChild(iframe);
// Execute code directly from the iframe.
const ctx = new RemoteContext(iframe_uuid);
const result = await ctx.execute_script(async (test_case) => {
let blockedURI;
if (test_case.should_block) {
window.addEventListener("securitypolicyviolation", e => {
blockedURI = e.blockedURI;
});
}
// Load the script
await new Promise(resolve => {
const script = document.createElement('script');
if (test_case.cross_origin) {
script.crossOrigin="anonymous";
}
if (test_case.integrity) {
script.integrity = test_case.integrity;
}
script.onload = resolve;
script.onerror = resolve;
script.src = test_case.url;
document.body.appendChild(script);
});
return { blocked: blockedURI, ran: window.ran };
}, [test_case]);
for (const [key, value] of Object.entries(result)) {
assert_equals(result[key], test_case.expected[key]);
}
}, test_case.description);
};
const blob = new Blob([`window.ran=true;`],
{ type: 'application/javascript' });
const blob_url = URL.createObjectURL(blob);
// Generated using https://sha2.it/ed25519.html (In Chrome Canary, with Experimental Web Platform Features enabled)
const signature = encodeURIComponent(
'header(Unencoded-Digest, sha-384=:tqyFpeo21WFM8HDeUtLqH20GUq\/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak:)' +
'|header(Signature-Input, signature=\\("unencoded-digest";sf\\); keyid="JrQLj5P\/89iXES9+vFgrIy29clF9CC\/oPPsw3c5D0bs="; tag="sri")' +
'|header(Signature, signature=:qM19uLskHm2TQG5LJcH/hY0n0BWWzYOJztVWYlwk0cZb3u0JdgUMre1J4Jn8Tma0x2u5/kPBfbXRMbB+X+vTBw==:)');
const test_cases = [
{
description: "Ensure that a script without integrity did not run",
url: "/content-security-policy/resources/ran.js",
cross_origin: true,
integrity: "",
should_block: true,
report_only: false,
expected: {blocked: ORIGIN + "/content-security-policy/resources/ran.js", ran: false },
},
{
description: "Ensure that a script with unknown integrity algorithm did not run",
url: "/content-security-policy/resources/ran.js",
cross_origin: true,
integrity: "foobar-AAAAAAAAAAAAAAAAAAAa",
should_block: true,
report_only: false,
expected: {blocked: ORIGIN + "/content-security-policy/resources/ran.js", ran: false },
},
{
description: "Ensure that a script without integrity algorithm runs and gets reported in report-only mode",
url: "/content-security-policy/resources/ran.js",
cross_origin: true,
integrity: "",
should_block: true,
report_only: true,
expected: {blocked: ORIGIN + "/content-security-policy/resources/ran.js", ran: true },
},
{
description: "Ensure that a no-cors script gets blocked",
url: "/content-security-policy/resources/ran.js",
cross_origin: false,
integrity: "sha384-tqyFpeo21WFM8HDeUtLqH20GUq/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak",
should_block: true,
report_only: false,
expected: {blocked: ORIGIN + "/content-security-policy/resources/ran.js", ran: false },
},
{
description: "Ensure that a script with integrity runs",
url: "/content-security-policy/resources/ran.js",
cross_origin: true,
integrity: "sha384-tqyFpeo21WFM8HDeUtLqH20GUq/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak",
should_block: false,
report_only: false,
expected: {blocked: "", ran: true },
},
{
description: "Ensure that a script with signature integrity runs",
url: "/content-security-policy/resources/ran.js?pipe=" + signature,
cross_origin: true,
integrity: "ed25519-JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=",
should_block: false,
report_only: false,
expected: {blocked: "", ran: true },
},
{
description: "Ensure that a data URI script with no integrity runs",
url: "data:application/javascript,window.ran=true",
cross_origin: true,
integrity: "",
should_block: false,
report_only: false,
expected: {blocked: "", ran: true },
},
{
description: "Ensure that a no-CORS data URI script with no integrity runs",
url: "data:application/javascript,window.ran=true",
cross_origin: false,
integrity: "",
should_block: false,
report_only: false,
expected: {blocked: "", ran: true },
},
{
description: "Ensure that a blob URL script with no integrity runs",
url: blob_url,
cross_origin: true,
integrity: "",
should_block: false,
report_only: false,
expected: {blocked: "", ran: true },
},
{
description: "Ensure that a no-CORS blob URL script with no integrity runs",
url: blob_url,
cross_origin: false,
integrity: "",
should_block: false,
report_only: false,
expected: {blocked: "", ran: true },
}
];
test_cases.map(run_test);
</script>