2 files changed, 109 insertions, 0 deletions

diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html b/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html
new file mode 100644
index 0000000000..b59206824d
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html
@@ -0,0 +1,104 @@
+<!DOCTYPE HTML>
+<html>
+
+<head>
+    <title>External scripts with matching SRI hash should be allowed.</title>
+    <script src='/resources/testharness.js' nonce='dummy'></script>
+    <script src='/resources/testharnessreport.js' nonce='dummy'></script>
+
+    <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=' -->
+</head>
+
+<body>
+    <h1>External scripts with matching SRI hash should be allowed.</h1>
+    <div id='log'></div>
+
+    <script nonce='dummy'>
+        var port = "{{ports[http][0]}}";
+        if (location.protocol === "https:")
+          port = "{{ports[https][0]}}";
+        var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port;
+
+        // Test name, src, integrity, expected to run.
+        var test_cases = [
+          [ 'matching integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=',
+            true ],
+          [ 'multiple matching integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA=',
+            true ],
+          [ 'no integrity',
+            './simpleSourcedScript.js',
+            '',
+            false ],
+          [ 'matching plus unsupported integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz',
+            true ],
+          [ 'mismatched integrity',
+            './simpleSourcedScript.js',
+            'sha256-xyz',
+            false ],
+          [ 'multiple mismatched integrity',
+            './simpleSourcedScript.js',
+            'sha256-xyz sha256-zyx',
+            false ],
+          [ 'partially matching integrity',
+            './simpleSourcedScript.js',
+            'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz',
+            false ],
+          [ 'crossorigin no integrity but allowed host',
+            crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
+            '',
+            true ],
+          [ 'crossorigin mismatched integrity but allowed host',
+            crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
+            'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=',
+            true ],
+        ];
+
+        test(_ => {
+          for (item of test_cases) {
+            async_test(t => {
+              var s = document.createElement('script');
+              s.id = item[0].replace(' ', '-');
+              s.src = item[1];
+              s.integrity = item[2];
+              s.setAttribute('crossorigin', 'anonymous');
+
+              if (item[3]) {
+                s.onerror = t.unreached_func("Script should load! " + s.src);
+                window.addEventListener('message', t.step_func(e => {
+                  if (e.data == s.id)
+                    t.done();
+                }));
+              } else {
+                s.onerror = t.step_func_done();
+                window.addEventListener('message', t.step_func(e => {
+                  if (e.data == s.id)
+                    assert_unreached("Script should not execute!");
+                }));
+              }
+
+              document.body.appendChild(s);
+            }, item[0]);
+          }
+        }, "Load all the tests.");
+    </script>
+
+    <script nonce='dummy'>
+        var externalRan = false;
+    </script>
+    <script src='./externalScript.js'
+        integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
+    <script nonce='dummy'>
+        test(function() {
+            assert_true(externalRan, 'External script ran.');
+        }, 'External script in a script tag with matching SRI hash should run.');
+    </script>
+
+</body>
+
+</html>
diff --git a/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers b/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers
new file mode 100644
index 0000000000..25cd6541ac
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/script-src-sri_hash.sub.html.sub.headers
@@ -0,0 +1,5 @@
+Expires: Mon, 26 Jul 1997 05:00:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Cache-Control: post-check=0, pre-check=0, false
+Pragma: no-cache
+Content-Security-Policy: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA='