summaryrefslogtreecommitdiffstats
path: root/testing/web-platform/tests/subresource-integrity/subresource-integrity.html
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-07 09:22:09 +0000
commit43a97878ce14b72f0981164f87f2e35e14151312 (patch)
tree620249daf56c0258faa40cbdcf9cfba06de2a846 /testing/web-platform/tests/subresource-integrity/subresource-integrity.html
parentInitial commit. (diff)
downloadfirefox-upstream.tar.xz
firefox-upstream.zip
Adding upstream version 110.0.1.upstream/110.0.1upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'testing/web-platform/tests/subresource-integrity/subresource-integrity.html')
-rw-r--r--testing/web-platform/tests/subresource-integrity/subresource-integrity.html468
1 files changed, 468 insertions, 0 deletions
diff --git a/testing/web-platform/tests/subresource-integrity/subresource-integrity.html b/testing/web-platform/tests/subresource-integrity/subresource-integrity.html
new file mode 100644
index 0000000000..355e1da1d7
--- /dev/null
+++ b/testing/web-platform/tests/subresource-integrity/subresource-integrity.html
@@ -0,0 +1,468 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<title>Subresource Integrity</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/resources/sriharness.js"></script>
+<script src="/common/utils.js"></script>
+<script src="sri-test-helpers.sub.js"></script>
+
+<div id="log"></div>
+
+<div id="container"></div>
+<script>
+ var style_tests = [];
+ style_tests.execute = function() {
+ if (this.length > 0) {
+ this.shift().execute();
+ }
+ }
+ add_result_callback(function(res) {
+ if (res.name.startsWith("Style: ")) {
+ style_tests.execute();
+ }
+ });
+
+ // Script tests
+ new SRIScriptTest(
+ true,
+ "Same-origin with correct sha256 hash.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with correct sha384 hash.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha384-cINXh+nCzEHPWzXS7eoT+vYMBpyqczOybRLNU3XAButFWCRhHT5hLByIbPRqIm2f"
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with correct sha512 hash.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha512-KZdenhzBd7X7Q/vmaOSyvFz1CGdoVt26xzCZjlkU9lfBEK+V/ougGys7iYDi0+tOHIQSQa87bIqx95R7GU7I9Q=="
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with empty integrity.",
+ `${same_origin_prefix}script.js?${token()}`,
+ ""
+ ).execute();
+
+ new SRIScriptTest(
+ false,
+ "Same-origin with incorrect hash.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ ).execute();
+
+ // Scripts with integrity attribute changed after #prepare-a-script.
+ new SRIScriptTest(
+ false,
+ "Same-origin with incorrect integrity => cleared after prepare.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead",
+ undefined,
+ undefined,
+ null
+ ).execute();
+
+ new SRIScriptTest(
+ false,
+ "Same-origin with incorrect integrity => set to correct hash after prepare.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead",
+ undefined,
+ undefined,
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with empty integrity => set to incorrect hash after prepare.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "",
+ undefined,
+ undefined,
+ "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with correct integrity => set to incorrect hash after prepare.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA=",
+ undefined,
+ undefined,
+ "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with multiple sha256 hashes, including correct.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA= sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with multiple sha256 hashes, including unknown algorithm.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA= foo666-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with sha256 mismatch, sha512 match",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha512-KZdenhzBd7X7Q/vmaOSyvFz1CGdoVt26xzCZjlkU9lfBEK+V/ougGys7iYDi0+tOHIQSQa87bIqx95R7GU7I9Q== sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ ).execute();
+
+ new SRIScriptTest(
+ false,
+ "Same-origin with sha256 match, sha512 mismatch",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha512-deadbeefspbnUnwooKGNNCb39nvg+EW0O9hDScTXeo/9pVZztLSUYU3LNV6H0lZapo8bCJUpyPPLAzE9fDzpxg== sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "<crossorigin='anonymous'> with correct hash, ACAO: *",
+ `${xorigin_prefix}script.js?${token()}&pipe=header(Access-Control-Allow-Origin,*)`,
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA=",
+ "anonymous"
+ ).execute();
+
+ new SRIScriptTest(
+ false,
+ "<crossorigin='anonymous'> with incorrect hash, ACAO: *",
+ `${xorigin_prefix}script.js?${token()}&pipe=header(Access-Control-Allow-Origin,*)`,
+ "sha256-deadbeefcSLlbFZCj1OACLxTxVck2TOrBTEdUbwz1yU=",
+ "anonymous"
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "<crossorigin='use-credentials'> with correct hash, CORS-eligible",
+ `${xorigin_prefix}script.js?${token()}&pipe=header(Access-Control-Allow-Credentials,true)|header(Access-Control-Allow-Origin,${location.origin})`,
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA=",
+ "use-credentials"
+ ).execute();
+
+ new SRIScriptTest(
+ false,
+ "<crossorigin='use-credentials'> with incorrect hash CORS-eligible",
+ `${xorigin_prefix}script.js?${token()}&pipe=header(Access-Control-Allow-Credentials,true)|header(Access-Control-Allow-Origin,${location.origin})`,
+ "sha256-deadbeef2S+pTRZgiw3DWrhC6JLDlt2zRyGpwH7unU8=",
+ "use-credentials"
+ ).execute();
+
+ new SRIScriptTest(
+ false,
+ "<crossorigin='anonymous'> with CORS-ineligible resource",
+ `${xorigin_prefix}script.js?${token()}`, /* no ACAO header makes this CORS-ineligible */
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA=",
+ "anonymous"
+ ).execute();
+
+ new SRIScriptTest(
+ false,
+ "Cross-origin, not CORS request, with correct hash",
+ `${xorigin_prefix}script.js?${token()}&pipe=header(Access-Control-Allow-Origin,*)`,
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA="
+ ).execute();
+
+ new SRIScriptTest(
+ false,
+ "Cross-origin, not CORS request, with hash mismatch",
+ `${xorigin_prefix}script.js?${token()}&pipe=header(Access-Control-Allow-Origin,*)`,
+ "sha256-deadbeef01Y0yKSx3/UoIKtIY2UQ9+H8WGyyMuOWOC0="
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Cross-origin, empty integrity",
+ `${xorigin_prefix}script.js?${token()}&pipe=header(Access-Control-Allow-Origin,*)`,
+ ""
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with correct hash, options.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "sha256-Bu681KMnQ15RYHFvsYdWumweeFAw0hJDTFt9seErghA=?foo=bar?spam=eggs"
+ ).execute();
+
+ new SRIScriptTest(
+ true,
+ "Same-origin with unknown algorithm only.",
+ `${same_origin_prefix}script.js?${token()}`,
+ "foo666-U9WYDtBWkcHx13+9UKk/3Q5eoqDc4YGxYb07EPWzb9E="
+ ).execute();
+
+ // Style tests
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with correct sha256 hash",
+ {
+ href: "style.css?1",
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4="
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with correct sha384 hash",
+ {
+ href: "style.css?2",
+ integrity: "sha384-wDAWxH4tOWBwAwHfBn9B7XuNmFxHTMeigAMwn0iVQ0zq3FtmYMLxihcGnU64CwcX"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with correct sha512 hash",
+ {
+ href: "style.css?3",
+ integrity: "sha512-9wXDjd6Wq3H6nPAhI9zOvG7mJkUr03MTxaO+8ztTKnfJif42laL93Be/IF6YYZHHF4esitVYxiwpY2HSZX4l6w=="
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with empty integrity",
+ {
+ href: "style.css?4",
+ integrity: ""
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ false,
+ "Same-origin with incorrect hash.",
+ {
+ href: "style.css?5",
+ integrity: "sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with multiple sha256 hashes, including correct.",
+ {
+ href: "style.css?6",
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4= sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with multiple sha256 hashes, including unknown algorithm.",
+ {
+ href: "style.css?7",
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4= foo666-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with sha256 mismatch, sha512 match",
+ {
+ href: "style.css?8",
+ integrity: "sha512-9wXDjd6Wq3H6nPAhI9zOvG7mJkUr03MTxaO+8ztTKnfJif42laL93Be/IF6YYZHHF4esitVYxiwpY2HSZX4l6w== sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ false,
+ "Same-origin with sha256 match, sha512 mismatch",
+ {
+ href: "style.css?9",
+ integrity: "sha512-deadbeef9wXDjd6Wq3H6nPAhI9zOvG7mJkUr03MTxaO+8ztTKnfJif42laL93Be/IF6YYZHHF4esitVYxiwpY2== sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4="
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "<crossorigin='anonymous'> with correct hash, ACAO: *",
+ {
+ href: xorigin_anon_style + '&1',
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
+ crossorigin: "anonymous"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ false,
+ "<crossorigin='anonymous'> with incorrect hash, ACAO: *",
+ {
+ href: xorigin_anon_style + '&2',
+ integrity: "sha256-deadbeefCzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk=",
+ crossorigin: "anonymous"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "<crossorigin='use-credentials'> with correct hash, CORS-eligible",
+ {
+ href: xorigin_creds_style + '&1',
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
+ crossorigin: "use-credentials"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ false,
+ "<crossorigin='use-credentials'> with incorrect hash CORS-eligible",
+ {
+ href: xorigin_creds_style + '&2',
+ integrity: "sha256-deadbeefCzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk=",
+ crossorigin: "use-credentials"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ false,
+ "<crossorigin='anonymous'> with CORS-ineligible resource",
+ {
+ href: xorigin_ineligible_style + '&1',
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
+ crossorigin: "anonymous"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ false,
+ "Cross-origin, not CORS request, with correct hash",
+ {
+ href: xorigin_anon_style + '&3',
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4="
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ false,
+ "Cross-origin, not CORS request, with hash mismatch",
+ {
+ href: xorigin_anon_style + '&4',
+ integrity: "sha256-deadbeefCzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk="
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Cross-origin, empty integrity",
+ {
+ href: xorigin_anon_style + '&5',
+ integrity: ""
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with correct hash, options.",
+ {
+ href: "style.css?10",
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=?foo=bar?spam=eggs"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with unknown algorithm only.",
+ {
+ href: "style.css?11",
+ integrity: "foo666-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=?foo=bar?spam=eggs"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with correct sha256 hash, rel='stylesheet license'",
+ {
+ href: "style.css?12",
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
+ rel: "stylesheet license"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with correct sha256 hash, rel='license stylesheet'",
+ {
+ href: "style.css?13",
+ integrity: "sha256-CzHgdJ7wOccM8L89n4bhcJMz3F+SPLT7YZk7gyCWUV4=",
+ rel: "license stylesheet"
+ }
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ true,
+ "Same-origin with correct sha256 and sha512 hash, rel='alternate stylesheet' enabled",
+ {
+ href: "alternate.css?1",
+ title: "alt",
+ type: "text/css",
+ class: "alternate",
+ disabled: "disabled",
+ rel: "alternate stylesheet",
+ integrity: "sha256-phbz83bWhnLig+d2VPKrRrTRyhqoDRo1ruGqZLZ0= sha512-8OYEB7ktnzcb6h+kB9CUIuc8qvKIyLpygRJdQSEEycRy74dUsB+Yu9rSjpOPjRUblle8WWX9Gn7v39LK2Oceig==",
+ },
+ function (link, container) {
+ var alternate = document.querySelector('link.alternate');
+ alternate.disabled = false;
+ },
+ "rgb(255, 0, 0)"
+ );
+
+ new SRIStyleTest(
+ style_tests,
+ false,
+ "Same-origin with incorrect sha256 and sha512 hash, rel='alternate stylesheet' enabled",
+ {
+ href: "alternate.css?2",
+ title: "alt",
+ type: "text/css",
+ class: "alternate",
+ disabled: "disabled",
+ rel: "alternate stylesheet",
+ integrity: "sha256-fail83bWhnLig+d2VPKrRrTRyhqoDRo1ruGqZLZ0= sha512-failB7ktnzcb6h+kB9CUIuc8qvKIyLpygRJdQSEEycRy74dUsB+Yu9rSjpOPjRUblle8WWX9Gn7v39LK2Oceig==",
+ },
+ function (link, container) {
+ var alternate = document.querySelector('link.alternate');
+ alternate.disabled = false;
+ }
+ );
+
+ style_tests.execute();
+
+</script>
+<!-- TODO check cache-poisoned resources, transfer-encoding, 3xx redirect
+ to resource with matching hash, and cross-origin leakage test as in sec5.3.
+ -->
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-25 05:07:03 +0000