horok/firefox
1
0
Fork 0
Code Activity
firefox/testing/web-platform/tests/subresource-integrity/signatures/tentative/csp.window.js
Daniel Baumann 5e9a113729
Adding upstream version 140.0. 
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
2025-06-25 09:37:52 +02:00

47 lines
3 KiB
JavaScript
Raw Permalink Blame History

// META: script=helper.js
// Here, we're replicating many of the tests from `script.window.js`, but
// doing so in the presence of a CSP that requires the RFC's test key to
// be asserted as integrity metadata.
// First, enforce CSP:
const el = document.createElement('meta');
el.httpEquiv = "content-security-policy";
el.content = `script-src 'ed25519-${kValidKeys['rfc']}'`;
document.head.appendChild(el);
// Unsigned scripts should not load, regardless of integrity metadata:
generate_script_test(kUnsignedShouldBlock, "", EXPECT_BLOCKED,
"No signature, no integrity check: blocked.");
generate_script_test(kUnsignedShouldBlock, "ed25519-???", EXPECT_BLOCKED,
"No signature, malformed integrity check: blocked.");
generate_script_test(kUnsignedShouldBlock, `ed25519-${kValidKeys['rfc']}`, EXPECT_BLOCKED,
"No signature, integrity check: blocked.");
// Signed scripts should load iff valid integrity metadata is explicitly asserted:
generate_script_test(kSignedShouldBlock, "", EXPECT_BLOCKED,
"Valid signature, no integrity check: blocked.");
generate_script_test(kSignedShouldBlock, "ed25519-???", EXPECT_BLOCKED,
"Valid signature, malformed integrity check: blocked.");
generate_script_test(kSignedShouldExecute, `ed25519-${kValidKeys['rfc']}`, EXPECT_LOADED,
"Valid signature, valid integrity check: loads.");
generate_script_test(kSignedShouldExecute, `ed25519-${kValidKeys['rfc']} ed25519-${kValidKeys['arbitrary']}`, EXPECT_BLOCKED,
"Valid signature, one matching and one mismatched integrity check: blocked.");
generate_script_test(kSignedShouldBlock, `ed25519-${kValidKeys['arbitrary']}`, EXPECT_BLOCKED,
"Valid signature, mismatched integrity check: blocked.");
// Likewise, scripts signed with multiple signatures will still require valid integrity metadata to be asserted:
generate_script_test(kMultiplySignedShouldBlock, "", EXPECT_BLOCKED,
"Valid signatures, no integrity check: blocked.");
generate_script_test(kMultiplySignedShouldBlock, "ed25519-???", EXPECT_BLOCKED,
"Valid signatures, malformed integrity check: blocked.");
generate_script_test(kMultiplySignedShouldExecute, `ed25519-${kValidKeys['rfc']}`, EXPECT_LOADED,
"Valid signatures, integrity check matches one: loads.");
generate_script_test(kMultiplySignedShouldBlock, `ed25519-${kValidKeys['arbitrary']}`, EXPECT_BLOCKED,
"Valid signatures, integrity check matches the other: blocked.");
generate_script_test(kMultiplySignedShouldBlock, `ed25519-${kValidKeys['rfc']} ed25519-${kValidKeys['arbitrary']}`, EXPECT_BLOCKED,
"Valid signatures, integrity check matches both, but only one in CSP: blocked.");
generate_script_test(kMultiplySignedShouldBlock, `ed25519-${kInvalidKey}`, EXPECT_BLOCKED,
"Valid signatures, integrity check matches neither: blocked.");
View git blame Copy permalink