dom/security/test/sri/iframe_script_crossdomain.html


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135

<!DOCTYPE HTML>
<!-- Any copyright is dedicated to the Public Domain.
     http://creativecommons.org/publicdomain/zero/1.0/ -->
<html>
<head>
  <script src="/tests/SimpleTest/SimpleTest.js"></script>
  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
</head>
<body>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<pre id="test">
</pre>

<script type="application/javascript">
  SimpleTest.waitForExplicitFinish();

  window.hasCORSLoaded = false;
  window.hasNonCORSLoaded = false;

  function good_nonsriLoaded() {
    ok(true, "Non-eligible non-SRI resource was loaded correctly.");
  }
  function bad_nonsriBlocked() {
    ok(false, "Non-eligible non-SRI resources should be loaded!");
  }

  function good_nonCORSInvalidBlocked() {
    ok(true, "A non-CORS resource with invalid metadata was correctly blocked.");
  }
  function bad_nonCORSInvalidLoaded() {
    ok(false, "Non-CORS resources with invalid metadata should be blocked!");
  }

  window.onerrorCalled = false;
  window.onloadCalled = false;

  function bad_onloadCalled() {
    window.onloadCalled = true;
  }

  function good_onerrorCalled() {
    window.onerrorCalled = true;
  }

  function good_incorrect301Blocked() {
    ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly.");
  }
  function bad_incorrect301Loaded() {
    ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!");
  }

  function good_correct301Blocked() {
    ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly.");
  }
  function bad_correct301Loaded() {
    ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!");
  }

  function good_correctDataLoaded() {
    ok(true, "Since data: URLs are same-origin, they should be loaded.");
  }
  function bad_correctDataBlocked() {
    todo(false, "We should not block scripts in data: URIs!");
  }
  function good_correctDataCORSLoaded() {
    ok(true, "A data: URL with a CORS load was loaded correctly.");
  }
  function bad_correctDataCORSBlocked() {
    ok(false, "We should not BLOCK scripts!");
  }

  window.onload = function() {
    SimpleTest.finish()
  }
</script>

<!-- cors-enabled. should be loaded -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js"
        crossorigin=""
        integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="></script>

<!-- not cors-enabled. should be blocked -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain2.js"
        crossorigin="anonymous"
        integrity="sha256-ntgU2U1xv7HfK1XWMTSWz6vJkyVtGzMrIAxQkux1I94="
        onload="bad_onloadCalled()"
        onerror="good_onerrorCalled()"></script>

<!-- non-cors but not actually using SRI. should trigger onload -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js"
        integrity="    "
        onload="good_nonsriLoaded()"
        onerror="bad_nonsriBlocked()"></script>

<!-- non-cors with invalid metadata -->
<script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js"
        integrity="sha256-bogus"
        onload="bad_nonCORSInvalidLoaded()"
        onerror="good_nonCORSInvalidBlocked()"></script>

<!-- non-cors that's same-origin initially but redirected to another origin -->
<script src="script_301.js"
        integrity="sha384-invalid"
        onerror="good_incorrect301Blocked()"
        onload="bad_incorrect301Loaded()"></script>

<!-- non-cors that's same-origin initially but redirected to another origin -->
<script src="script_301.js"
        integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3"
        onerror="good_correct301Blocked()"
        onload="bad_correct301Loaded()"></script>

<!-- data: URLs are same-origin -->
<script src="data:,console.log('data:valid');"
        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
        onerror="bad_correctDataBlocked()"
        onload="good_correctDataLoaded()"></script>

<!-- not cors-enabled with data: URLs. should trigger onload -->
<script src="data:,console.log('data:valid');"
        crossorigin="anonymous"
        integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg="
        onerror="bad_correctDataCORSBlocked()"
        onload="good_correctDataCORSLoaded()"></script>

<script>
  ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash");
  ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked");
  ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain");
  ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain");
</script>
</body>
</html>