<!DOCTYPE HTML> <!-- Any copyright is dedicated to the Public Domain. http://creativecommons.org/publicdomain/zero/1.0/ --> <html> <head> <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script> <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/> </head> <body> <p id="display"></p> <div id="content" style="display: none"> </div> <pre id="test"> </pre> <script type="application/javascript"> SimpleTest.waitForExplicitFinish(); window.hasCORSLoaded = false; window.hasNonCORSLoaded = false; function good_nonsriLoaded() { ok(true, "Non-eligible non-SRI resource was loaded correctly."); } function bad_nonsriBlocked() { ok(false, "Non-eligible non-SRI resources should be loaded!"); } function good_nonCORSInvalidBlocked() { ok(true, "A non-CORS resource with invalid metadata was correctly blocked."); } function bad_nonCORSInvalidLoaded() { ok(false, "Non-CORS resources with invalid metadata should be blocked!"); } window.onerrorCalled = false; window.onloadCalled = false; function bad_onloadCalled() { window.onloadCalled = true; } function good_onerrorCalled() { window.onerrorCalled = true; } function good_incorrect301Blocked() { ok(true, "A non-CORS load with incorrect hash redirected to a different origin was blocked correctly."); } function bad_incorrect301Loaded() { ok(false, "Non-CORS loads with incorrect hashes redirecting to a different origin should be blocked!"); } function good_correct301Blocked() { ok(true, "A non-CORS load with correct hash redirected to a different origin was blocked correctly."); } function bad_correct301Loaded() { ok(false, "Non-CORS loads with correct hashes redirecting to a different origin should be blocked!"); } function good_correctDataLoaded() { ok(true, "Since data: URLs are same-origin, they should be loaded."); } function bad_correctDataBlocked() { todo(false, "We should not block scripts in data: URIs!"); } function good_correctDataCORSLoaded() { ok(true, "A data: URL with a CORS load was loaded correctly."); } function bad_correctDataCORSBlocked() { ok(false, "We should not BLOCK scripts!"); } window.onload = function() { SimpleTest.finish() } </script> <!-- cors-enabled. should be loaded --> <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain1.js" crossorigin="" integrity="sha512-9Tv2DL1fHvmPQa1RviwKleE/jq72jgxj8XGLyWn3H6Xp/qbtfK/jZINoPFAv2mf0Nn1TxhZYMFULAbzJNGkl4Q=="></script> <!-- not cors-enabled. should be blocked --> <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain2.js" crossorigin="anonymous" integrity="sha256-ntgU2U1xv7HfK1XWMTSWz6vJkyVtGzMrIAxQkux1I94=" onload="bad_onloadCalled()" onerror="good_onerrorCalled()"></script> <!-- non-cors but not actually using SRI. should trigger onload --> <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain3.js" integrity=" " onload="good_nonsriLoaded()" onerror="bad_nonsriBlocked()"></script> <!-- non-cors with invalid metadata --> <script src="http://example.com/tests/dom/security/test/sri/script_crossdomain4.js" integrity="sha256-bogus" onload="bad_nonCORSInvalidLoaded()" onerror="good_nonCORSInvalidBlocked()"></script> <!-- non-cors that's same-origin initially but redirected to another origin --> <script src="script_301.js" integrity="sha384-invalid" onerror="good_incorrect301Blocked()" onload="bad_incorrect301Loaded()"></script> <!-- non-cors that's same-origin initially but redirected to another origin --> <script src="script_301.js" integrity="sha384-1NpiDI6decClMaTWSCAfUjTdx1BiOffsCPgH4lW5hCLwmHk0VyV/g6B9Sw2kD2K3" onerror="good_correct301Blocked()" onload="bad_correct301Loaded()"></script> <!-- data: URLs are same-origin --> <script src="data:,console.log('data:valid');" integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg=" onerror="bad_correctDataBlocked()" onload="good_correctDataLoaded()"></script> <!-- not cors-enabled with data: URLs. should trigger onload --> <script src="data:,console.log('data:valid');" crossorigin="anonymous" integrity="sha256-W5I4VIN+mCwOfR9kDbvWoY1UOVRXIh4mKRN0Nz0ookg=" onerror="bad_correctDataCORSBlocked()" onload="good_correctDataCORSLoaded()"></script> <script> ok(window.hasCORSLoaded, "CORS-enabled resource with a correct hash"); ok(!window.hasNonCORSLoaded, "Correct hash, but non-CORS, should be blocked"); ok(!window.onloadCalled, "Failed loads should not call onload when they're cross-domain"); ok(window.onerrorCalled, "Failed loads should call onerror when they're cross-domain"); </script> </body> </html>