header-component.window.js

Enable keyboard shortcuts

This test has a WPT meta file that expects 14 subtest issues.
This WPT test may be referenced by the following Test IDs:
- /subresource-integrity/signatures/tentative/header-component.window.html - WPT Dashboard Interop Dashboard

// META: script=helper.js

// The following tests validate the behavior of arbitrary header components in

// signatures. They rely on the test key from

// https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key

//

// TODO: Replace the placeholder signatures below with real signatures.

const kBody = "window.hello = `world`;";

const kDigest = "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:";

const kSignatures = {

  // Signature Base:

  // "content-type": application/javascript

  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:

  // "@signature-params": ("content-type" "unencoded-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"

  ct_then_digest: "signature=:a5uYGT79upHlmAkq3PsPHr1xz5AXjqmjVbOr38e8HW94+YqthWLjPeYVRYkYprb0zDqrreptOB4m5d148uWAAQ==:",

  // Signature Base:

  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:

  // "content-type": application/javascript

  // "@signature-params": ("unencoded-digest";sf "content-type");keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"

  digest_then_ct: "signature=:OuJoPVjT+cucaPpFGs3hyhdOGcEEgCAaLefYWCwEGdsBFunmFAT6hbMTg/vmhLM3raZKKzWqjFkzinWtia8fAA==:",

  // Signature Base:

  // "content-type": application/javascript

  // "x-extra-header": some-value

  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:

  // "@signature-params": ("content-type" "x-missing-header" "unencoded-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"

  with_extra_header: "signature=:9UFhYYWqUSxadNI4vyPSln1deZGswee7DpRg761SaORKykyewqhD6pEPJBXfEaV9wJrqgq4Nq+oJb2Pe25TjDA==:",

};

const kRequestsWithValidSignature = [

    body: kBody,

    digest: kDigest,

    signature: kSignatures.ct_then_digest,

    signatureInput: `signature=("content-type" "unencoded-digest";sf);keyid="${kValidKeys["rfc"]}";tag="sri"`

},

    body: kBody,

    digest: kDigest,

    signature: kSignatures.digest_then_ct,

    signatureInput: `signature=("unencoded-digest";sf "content-type");keyid="${kValidKeys["rfc"]}";tag="sri"`

];

for (const request of kRequestsWithValidSignature) {

    // fetch():

    generate_fetch_test(request, {}, EXPECT_LOADED,

                        `Valid signature (${request.signatureInput}), no integrity check: loads.`);

    generate_fetch_test(request, {integrity:`ed25519-${kValidKeys["rfc"]}`}, EXPECT_LOADED,

                        `Valid signature (${request.signatureInput}), matching integrity check: loads.`);

    generate_fetch_test(request, {integrity:`ed25519-${kInvalidKey}`}, EXPECT_BLOCKED,

                        `Valid signature (${request.signatureInput}), mismatched integrity check: blocked.`);

    // <script>:

    generate_script_test(request, "", EXPECT_LOADED,

                        `Valid signature (${request.signatureInput}), no integrity check: loads.`);

    generate_script_test(request, `ed25519-${kValidKeys["rfc"]}`, EXPECT_LOADED,

                        `Valid signature (${request.signatureInput}), matching integrity check: loads.`);

    generate_script_test(request, `ed25519-${kInvalidKey}`, EXPECT_BLOCKED,

                        `Valid signature (${request.signatureInput}), mismatched integrity check: blocked.`);

// Test cases for failure

const kFailingRequests = [

    // Valid signature, but the "content-type" header value does not match what is signed.

        body: kBody,

        digest: kDigest,

        signature: kSignatures.digest_then_ct,

        signatureInput: `signature=("unencoded-digest";sf "content-type");keyid="${kValidKeys["rfc"]}";tag="sri"`,

        type: "text/plain", // The signature was for "application/javascript"

        description: "Mismatched header value"

},

    // Valid signature, but a signed header is missing from the response.

        body: kBody,

        digest: kDigest,

        signature: kSignatures.with_extra_header,

        signatureInput: `signature=("content-type" "x-extra-header" "unencoded-digest";sf);keyid="${kValidKeys["rfc"]}";tag="sri"`,

        description: "Missing signed header"

];

for (const request of kFailingRequests) {

    const description = request.description;

    // fetch():

    generate_fetch_test(request, {}, EXPECT_BLOCKED,

                        `${description}: blocked.`);

    generate_fetch_test(request, {integrity:`ed25519-${kValidKeys["rfc"]}`}, EXPECT_BLOCKED,

                        `${description} with matching integrity: blocked.`);

    // <script>:

    generate_script_test(request, "", EXPECT_BLOCKED,

                        `${description}: blocked.`);

    generate_script_test(request, `ed25519-${kValidKeys["rfc"]}`, EXPECT_BLOCKED,

                        `${description} with matching integrity: blocked.`);