summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/preload/subresource-integrity.html
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--testing/web-platform/tests/preload/subresource-integrity.html381
1 files changed, 381 insertions, 0 deletions
diff --git a/testing/web-platform/tests/preload/subresource-integrity.html b/testing/web-platform/tests/preload/subresource-integrity.html
new file mode 100644
index 0000000000..58f59126ed
--- /dev/null
+++ b/testing/web-platform/tests/preload/subresource-integrity.html
@@ -0,0 +1,381 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Subresource Integrity</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/sriharness.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/subresource-integrity/sri-test-helpers.sub.js"></script>
+<script src="./resources/preload_helper.js"></script>
+
+
+<div id="log"></div>
+
+<div id="container"></div>
+<script>
+ // This is a list of information for each preload destination. The information
+ // is used in a loop iterating over the below tests, so that each test is run
+ // for each destination.
+ const preload_destination_info = [
+ {
+ destination: 'script', ext: '.js', supports_sri: true,
+ sha256: 'sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA=',
+ sha384: 'sha384-cINXh+nCzEHPWzXS7eoT+vYMBpyqczOybRLNU3XAButFWCRhHT5hLByIbPRqIm2f',
+ sha512: 'sha512-KZdenhzBd7X7Q/vmaOSyvFz1CGdoVt26xzCZjlkU9lfBEK+V/ougGys7iYDi0+tOHIQSQa87bIqx95R7GU7I9Q=='
+ },
+ {
+ destination: 'style', ext: '.css', supports_sri: true,
+ sha256: 'sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=',
+ sha384: 'sha384-wDAWxH4tOWBwAwHfBn9B7XuNmFxHTMeigAMwn0iVQ0zq3FtmYMLxihcGnU64CwcX',
+ sha512: 'sha512-9wXDjd6Wq3H6nPAhI9zOvG7mJkUr03MTxaO+8ztTKnfJif42laL93Be/IF6YYZHHF4esitVYxiwpY2HSZX4l6w=='
+ },
+ {
+ destination: 'image', ext: '.png', supports_sri: false,
+ sha256: 'sha256-h7rQ5CQooD7qmTmrNxykCgjz3lDM1CBl2hkY1CTpB2I=',
+ sha384: 'sha384-DqrhF5pyW9u4FJsleRwjTAwKDSspQbxk9oux9BtcaANyji0kzpb7b4Cw3TM4MGNk',
+ sha512: 'sha512-wyY+ChJ1B5ovayDkbBeEv7nuHJ0uws14KoLyFSLKngFzHzm6VaTNA/ndx/Lnt/vPx6BN1cJB7+JNa4aAUGOlgg=='
+ },
+ // TODO(domfarolino): Add more destinations.
+ ];
+
+ for (const info of preload_destination_info) {
+ const {destination, ext, supports_sri, sha256, sha384, sha512} = info;
+
+ // Preload + Subresource Integrity tests. These tests work by passing some
+ // destination-specific information (defined in |preload_destination_info|)
+ // to the below tests, which do the following:
+ // Create a <link rel="preload"> for the given destination, with the
+ // specified `integrity`. After this has either loaded or failed to load,
+ // the subresource element corresponding to |destination| will be created,
+ // attempting to re-use the preloaded resource. `integrity` may be specified
+ // on the subresource elements that support SRI as well. The subresource
+ // will either load or fail to load, and the result will be compared with an
+ // expectation passed to the test.
+ SRIPreloadTest(
+ true, /* preload_sri_success */
+ true, /* subresource_sri_success */
+ `Same-origin ${destination} with correct sha256 hash.`, /* name */
+ 1, /* number_of_requests */
+ destination, /* destination */
+ same_origin_prefix + destination + ext + `?${token()}`, /* resource_url (for preload + subresource) */
+ {integrity: sha256}, /* link_attrs */
+ {} /* subresource_attrs */
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with correct sha384 hash.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: sha384},
+ {}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with correct sha512 hash.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: sha512},
+ {}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with empty integrity.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {},
+ {}
+ )
+
+ SRIPreloadTest(
+ false,
+ false,
+ `Same-origin ${destination} with incorrect hash.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"},
+ {}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with multiple sha256 hashes, including correct.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: `${sha256} sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead`},
+ {}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with multiple sha256 hashes, including unknown algorithm.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: `${sha256} foo666-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead`},
+ {}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with sha256 mismatch, sha512 match`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: `${sha512} sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead`},
+ {}
+ )
+
+ SRIPreloadTest(
+ false,
+ false,
+ `Same-origin ${destination} with sha256 match, sha512 mismatch`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: `sha512-deadbeefspbnUnwooKGNNCb39nvg+EW0O9hDScTXeo/9pVZztLSUYU3LNV6H0lZapo8bCJUpyPPLAzE9fDzpxg== ${sha256}`},
+ {}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `<crossorigin='anonymous'> ${destination} with correct hash, ACAO: *`,
+ 1,
+ destination,
+ xorigin_prefix + destination + ext + `?${token()}` + anonymous,
+ {integrity: sha256, crossOrigin: 'anonymous'},
+ {crossOrigin: "anonymous"}
+ )
+
+ SRIPreloadTest(
+ false,
+ false,
+ `<crossorigin='anonymous'> ${destination} with incorrect hash, ACAO: *`,
+ 1,
+ destination,
+ xorigin_prefix + destination + ext + `?${token()}` + anonymous,
+ {integrity: "sha256-sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead", crossOrigin: "anonymous"},
+ {crossOrigin: "anonymous"}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `<crossorigin='use-credentials'> ${destination} with correct hash, CORS-eligible`,
+ 1,
+ destination,
+ xorigin_prefix + destination + ext + `?${token()}` + use_credentials,
+ {integrity: sha256, crossOrigin: "use-credentials"},
+ {crossOrigin: "use-credentials"}
+ )
+
+ SRIPreloadTest(
+ false,
+ false,
+ `<crossorigin='use-credentials'> ${destination} with incorrect hash CORS-eligible`,
+ 1,
+ destination,
+ xorigin_prefix + destination + ext + `?${token()}` + use_credentials,
+ {integrity: "sha256-deadbeef2S+pTRZgiw3DWrhC6JLDlt2zRyGpwH7unU8=", crossOrigin: "use-credentials"},
+ {crossOrigin: "use-credentials"}
+ )
+
+ SRIPreloadTest(
+ false,
+ false,
+ `<crossorigin='anonymous'> ${destination} with CORS-ineligible resource`,
+ 1,
+ destination,
+ // not piping ACAO header makes this CORS-ineligible
+ xorigin_prefix + destination + ext + `?${token()}`,
+ {integrity: sha256, crossOrigin: "anonymous"},
+ {crossOrigin: "anonymous"}
+ )
+
+ SRIPreloadTest(
+ false,
+ false,
+ `Cross-origin ${destination}, not CORS request, with correct hash`,
+ 1,
+ destination,
+ xorigin_prefix + destination + ext + `?${token()}` + anonymous,
+ {integrity: sha256},
+ {}
+ )
+
+ SRIPreloadTest(
+ false,
+ false,
+ `Cross-origin ${destination}, not CORS request, with hash mismatch`,
+ 1,
+ destination,
+ xorigin_prefix + destination + ext + `?${token()}` + anonymous,
+ {integrity: "sha256-deadbeef01Y0yKSx3/UoIKtIY2UQ9+H8WGyyMuOWOC0="},
+ {}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Cross-origin ${destination}, empty integrity`,
+ 1,
+ destination,
+ xorigin_prefix + destination + ext + `?${token()}` + anonymous,
+ {},
+ {}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with correct hash, options.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: `${sha256}?foo=bar?spam=eggs`},
+ {}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with unknown algorithm only.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: "foo666-8aBiAJl3ukQwSJ6eTs5wl6hGjnOtyXjcTRdAf89uIfY="},
+ {}
+ )
+
+ // The below tests are specific to subresource destinations that support
+ // SRI. See |supports_sri|.
+ if (supports_sri) {
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with matching digest re-uses preload with matching digest.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: sha256},
+ {integrity: sha256}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with matching digest re-uses preload with matching digest and options.`,
+ 1,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: `${sha256}?dummy-option=value`},
+ {integrity: sha256}
+ )
+
+ SRIPreloadTest(
+ true,
+ false,
+ `Same-origin ${destination} with non-matching digest does not re-use preload with matching digest.`,
+ 2,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: sha256},
+ {integrity: "sha256-deadbeefQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="}
+ )
+
+ SRIPreloadTest(
+ false,
+ true,
+ `Same-origin ${destination} with matching digest does not re-use preload with non-matching digest.`,
+ 2,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: "sha256-deadbeefQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="},
+ {integrity: sha256}
+ )
+
+ SRIPreloadTest(
+ false,
+ false,
+ `Same-origin ${destination} with non-matching digest does not re-use preload with non-matching digest.`,
+ 2,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: "sha256-deadbeefQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="},
+ {integrity: "sha256-deaddeadbeefYHFvsYdWumweeFAw0hJDTFt9seErghA="}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with matching digest does not reuse preload without digest.`,
+ 2,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {},
+ {integrity: sha256}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with matching digest does not reuse preload with matching but stronger digest.`,
+ 2,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: sha384},
+ {integrity: sha256},
+ )
+
+ SRIPreloadTest(
+ true,
+ false,
+ `Same-origin ${destination} with wrong digest does not reuse preload with correct and stronger digest.`,
+ 2,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: sha384},
+ {integrity: "sha256-deadbeefQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="}
+ )
+
+ SRIPreloadTest(
+ true,
+ true,
+ `Same-origin ${destination} with matching digest does not reuse preload with matching but weaker digest.`,
+ 2,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {integrity: sha256},
+ {integrity: sha384},
+ )
+
+ SRIPreloadTest(
+ true,
+ false,
+ `Same-origin ${destination} with non-matching digest reuses preload with no digest but fails.`,
+ 2,
+ destination,
+ same_origin_prefix + destination + ext + `?${token()}`,
+ {},
+ {integrity: "sha256-sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"},
+ )
+
+ } // if.
+
+ } // for-of.
+</script>