content-security-policy/script-src/script-src-sri_hash.sub.html - external/w3c/web-platform-tests - Git at Google

 <!DOCTYPE HTML>
 <html>

 <head>
     <title>External scripts with matching SRI hash should be allowed.</title>
     <script src='/resources/testharness.js' nonce='dummy'></script>
     <script src='/resources/testharnessreport.js' nonce='dummy'></script>

     <!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'ShA256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA==' -->
     <!-- ShA256 is intentionally mixed case -->
 </head>

 <body>
     <h1>External scripts with matching SRI hash should be allowed.</h1>
     <div id='log'></div>

     <script nonce='dummy'>
         var port = "{{ports[http][0]}}";
         if (location.protocol === "https:")
           port = "{{ports[https][0]}}";
         var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port;

         // Test name, src, integrity, expected to run.
         var test_cases = [
           [ 'matching integrity',
             './simpleSourcedScript.js',
             'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=',
             true ],
           [ 'matching integrity (case-insensitive algorithm)',
             './simpleSourcedScript.js',
             'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=',
             true ],
           [ 'multiple matching integrity',
             './simpleSourcedScript.js',
             'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA==',
             true ],
           [ 'no integrity',
             './simpleSourcedScript.js',
             '',
             false ],
           [ 'matching plus unsupported integrity',
             './simpleSourcedScript.js',
             'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz',
             true ],
           [ 'mismatched integrity',
             './simpleSourcedScript.js',
             'sha256-xyz',
             false ],
           [ 'multiple mismatched integrity',
             './simpleSourcedScript.js',
             'sha256-xyz sha256-zyx',
             false ],
           [ 'partially matching integrity',
             './simpleSourcedScript.js',
             'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz',
             false ],
           [ 'crossorigin no integrity but allowed host',
             crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
             '',
             true ],
           [ 'crossorigin mismatched integrity but allowed host',
             crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
             'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=',
             true ],
         ];

         test(_ => {
           for (item of test_cases) {
             async_test(t => {
               var s = document.createElement('script');
               s.id = item[0].replace(' ', '-');
               s.src = item[1];
               s.integrity = item[2];
               s.setAttribute('crossorigin', 'anonymous');

               if (item[3]) {
                 s.onerror = t.unreached_func("Script should load! " + s.src);
                 window.addEventListener('message', t.step_func(e => {
                   if (e.data == s.id)
                     t.done();
                 }));
               } else {
                 s.onerror = t.step_func_done();
                 window.addEventListener('message', t.step_func(e => {
                   if (e.data == s.id)
                     assert_unreached("Script should not execute!");
                 }));
               }

               document.body.appendChild(s);
             }, item[0]);
           }
         }, "Load all the tests.");
     </script>

     <script nonce='dummy'>
         var externalRan = false;
     </script>
     <script src='./externalScript.js'
         integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
     <script nonce='dummy'>
         test(function() {
             assert_true(externalRan, 'External script ran.');
         }, 'External script in a script tag with matching SRI hash should run.');
     </script>

 </body>

 </html>
	<!DOCTYPE HTML>
	<html>

	<head>
	<title>External scripts with matching SRI hash should be allowed.</title>
	<script src='/resources/testharness.js' nonce='dummy'></script>
	<script src='/resources/testharnessreport.js' nonce='dummy'></script>

	<!-- CSP served: script-src {{domains[www]}}:* 'nonce-dummy' 'sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0=' 'ShA256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=' 'sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA==' -->
	<!-- ShA256 is intentionally mixed case -->
	</head>

	<body>
	<h1>External scripts with matching SRI hash should be allowed.</h1>
	<div id='log'></div>

	<script nonce='dummy'>
	var port = "{{ports[http][0]}}";
	if (location.protocol === "https:")
	port = "{{ports[https][0]}}";
	var crossorigin_base = location.protocol + "//{{domains[www]}}:" + port;

	// Test name, src, integrity, expected to run.
	var test_cases = [
	[ 'matching integrity',
	'./simpleSourcedScript.js',
	'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=',
	true ],
	[ 'matching integrity (case-insensitive algorithm)',
	'./simpleSourcedScript.js',
	'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c=',
	true ],
	[ 'multiple matching integrity',
	'./simpleSourcedScript.js',
	'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha512-rYCVMxWV5nq8IsMo+UZNObWtEiWGok/vDN8BMoEQi41s0znSes6E1Q2aag3Lw3u2J1w2rqH7uF2ws6FpQhfSOA==',
	true ],
	[ 'no integrity',
	'./simpleSourcedScript.js',
	'',
	false ],
	[ 'matching plus unsupported integrity',
	'./simpleSourcedScript.js',
	'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha999-xyz',
	true ],
	[ 'mismatched integrity',
	'./simpleSourcedScript.js',
	'sha256-xyz',
	false ],
	[ 'multiple mismatched integrity',
	'./simpleSourcedScript.js',
	'sha256-xyz sha256-zyx',
	false ],
	[ 'partially matching integrity',
	'./simpleSourcedScript.js',
	'sha256-L7/UQ9VWpyG7C9RDEC4ctS5hI3Zcw+ta+haPGlByG9c= sha256-xyz',
	false ],
	[ 'crossorigin no integrity but allowed host',
	crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
	'',
	true ],
	[ 'crossorigin mismatched integrity but allowed host',
	crossorigin_base + '/content-security-policy/script-src/crossoriginScript.js',
	'sha256-kKJ5c48yxzaaSBupJSCmY50hkD8xbVgZgLHLtmnkeAo=',
	true ],
	];

	test(_ => {
	for (item of test_cases) {
	async_test(t => {
	var s = document.createElement('script');
	s.id = item[0].replace(' ', '-');
	s.src = item[1];
	s.integrity = item[2];
	s.setAttribute('crossorigin', 'anonymous');

	if (item[3]) {
	s.onerror = t.unreached_func("Script should load! " + s.src);
	window.addEventListener('message', t.step_func(e => {
	if (e.data == s.id)
	t.done();
	}));
	} else {
	s.onerror = t.step_func_done();
	window.addEventListener('message', t.step_func(e => {
	if (e.data == s.id)
	assert_unreached("Script should not execute!");
	}));
	}

	document.body.appendChild(s);
	}, item[0]);
	}
	}, "Load all the tests.");
	</script>

	<script nonce='dummy'>
	var externalRan = false;
	</script>
	<script src='./externalScript.js'
	integrity="sha256-wIc3KtqOuTFEu6t17sIBuOswgkV406VJvhSk79Gw6U0="></script>
	<script nonce='dummy'>
	test(function() {
	assert_true(externalRan, 'External script ran.');
	}, 'External script in a script tag with matching SRI hash should run.');
	</script>

	</body>

	</html>