1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
|
<!DOCTYPE HTML>
<!-- Any copyright is dedicated to the Public Domain.
http://creativecommons.org/publicdomain/zero/1.0/ -->
<html>
<head>
<script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
<link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
<script type="application/javascript">
SimpleTest.waitForExplicitFinish();
window.onload = function() {
SimpleTest.finish();
}
</script>
<script>
function good_correctHashLoaded() {
ok(true, "A script was correctly loaded when integrity matched")
}
function bad_correctHashBlocked() {
ok(false, "We should load scripts with hashes that match!");
}
function good_correctHashArrayLoaded() {
ok(true, "A script was correctly loaded when one of the hashes in the integrity attribute matched")
}
function bad_correctHashArrayBlocked() {
ok(false, "We should load scripts with at least one hash that match!");
}
function good_emptyIntegrityLoaded() {
ok(true, "A script was correctly loaded when the integrity attribute was empty")
}
function bad_emptyIntegrityBlocked() {
ok(false, "We should load scripts with empty integrity attributes!");
}
function good_whitespaceIntegrityLoaded() {
ok(true, "A script was correctly loaded when the integrity attribute only contained whitespace")
}
function bad_whitespaceIntegrityBlocked() {
ok(false, "We should load scripts with integrity attributes containing only whitespace!");
}
function good_incorrectHashBlocked() {
ok(true, "A script was correctly blocked, because the hash digest was wrong");
}
function bad_incorrectHashLoaded() {
ok(false, "We should not load scripts with hashes that do not match the content!");
}
function good_incorrectHashArrayBlocked() {
ok(true, "A script was correctly blocked, because all the hashes were wrong");
}
function bad_incorrectHashArrayLoaded() {
ok(false, "We should not load scripts when none of the hashes match the content!");
}
function good_incorrectHashLengthBlocked() {
ok(true, "A script was correctly blocked, because the hash length was wrong");
}
function bad_incorrectHashLengthLoaded() {
ok(false, "We should not load scripts with hashes that don't have the right length!");
}
function bad_incorrectHashFunctionBlocked() {
ok(false, "We should load scripts with invalid/unsupported hash functions!");
}
function good_incorrectHashFunctionLoaded() {
ok(true, "A script was correctly loaded, despite the hash function being invalid/unsupported.");
}
function bad_missingHashFunctionBlocked() {
ok(false, "We should load scripts with missing hash functions!");
}
function good_missingHashFunctionLoaded() {
ok(true, "A script was correctly loaded, despite a missing hash function.");
}
function bad_missingHashValueBlocked() {
ok(false, "We should load scripts with missing hash digests!");
}
function good_missingHashValueLoaded() {
ok(true, "A script was correctly loaded, despite the missing hash digest.");
}
function good_401Blocked() {
ok(true, "A script was not loaded because of 401 response.");
}
function bad_401Loaded() {
ok(false, "We should nt load scripts with a 401 response!");
}
function good_valid302Loaded() {
ok(true, "A script was loaded successfully despite a 302 response.");
}
function bad_valid302Blocked() {
ok(false, "We should load scripts with a 302 response and the right hash!");
}
function good_invalid302Blocked() {
ok(true, "A script was blocked successfully after a 302 response.");
}
function bad_invalid302Loaded() {
ok(false, "We should not load scripts with a 302 response and the wrong hash!");
}
function good_validBlobLoaded() {
ok(true, "A script was loaded successfully from a blob: URL.");
}
function bad_validBlobBlocked() {
ok(false, "We should load scripts using blob: URLs with the right hash!");
}
function good_invalidBlobBlocked() {
ok(true, "A script was blocked successfully from a blob: URL.");
}
function bad_invalidBlobLoaded() {
ok(false, "We should not load scripts using blob: URLs with the wrong hash!");
}
</script>
</head>
<body>
<!-- valid hash. should trigger onload -->
<!-- the hash value comes from running this command:
cat script.js | openssl dgst -sha256 -binary | openssl enc -base64 -A
-->
<script src="script.js"
integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
onerror="bad_correctHashBlocked()"
onload="good_correctHashLoaded()"></script>
<!-- valid sha512 hash. should trigger onload -->
<script src="script.js"
integrity="sha512-mzSqH+vC6qrXX46JX2WEZ0FtY/lGj/5+5yYCBlk0jfYHLm0vP6XgsURbq83mwMApsnwbDLXdgjp5J8E93GT6Mw==?ignore=this"
onerror="bad_correctHashBlocked()"
onload="good_correctHashLoaded()"></script>
<!-- one valid sha256 hash. should trigger onload -->
<script src="script.js"
integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
onerror="bad_correctHashArrayBlocked()"
onload="good_correctHashArrayLoaded()"></script>
<!-- empty integrity. should trigger onload -->
<script src="script.js"
integrity=""
onerror="bad_emptyIntegrityBlocked()"
onload="good_emptyIntegrityLoaded()"></script>
<!-- whitespace integrity. should trigger onload -->
<script src="script.js"
integrity="
"
onerror="bad_whitespaceIntegrityBlocked()"
onload="good_whitespaceIntegrityLoaded()"></script>
<!-- invalid sha256 hash but valid sha384 hash. should trigger onload -->
<script src="script.js"
integrity="sha256-bogus sha384-zDCkvKOHXk8mM6Nk07oOGXGME17PA4+ydFw+hq0r9kgF6ZDYFWK3fLGPEy7FoOAo?"
onerror="bad_correctHashBlocked()"
onload="good_correctHashLoaded()"></script>
<!-- valid sha256 and invalid sha384. should trigger onerror -->
<script src="script.js"
integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha384-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
onerror="good_incorrectHashLengthBlocked()"
onload="bad_incorrectHashLengthLoaded()"></script>
<!-- invalid hash. should trigger onerror -->
<script src="script.js"
integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
onerror="good_incorrectHashBlocked()"
onload="bad_incorrectHashLoaded()"></script>
<!-- invalid hashes. should trigger onerror -->
<script src="script.js"
integrity="sha256-rkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-ZkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA= sha256-zkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
onerror="good_incorrectHashBlocked()"
onload="bad_incorrectHashLoaded()"></script>
<!-- invalid hash function. should trigger onload -->
<script src="script.js"
integrity="rot13-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
onerror="bad_incorrectHashFunctionBlocked()"
onload="good_incorrectHashFunctionLoaded()"></script>
<!-- missing hash function. should trigger onload -->
<script src="script.js"
integrity="RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
onerror="bad_missingHashFunctionBlocked()"
onload="good_missingHashFunctionLoaded()"></script>
<!-- missing hash value. should trigger onload -->
<script src="script.js"
integrity="sha512-"
onerror="bad_missingHashValueBlocked()"
onload="good_missingHashValueLoaded()"></script>
<!-- 401 response. should trigger onerror -->
<script src="script_401.js"
integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
onerror="good_401Blocked()"
onload="bad_401Loaded()"></script>
<!-- valid sha256 after a redirection. should trigger onload -->
<script src="script_302.js"
integrity="sha256-RkrQYrxD/HCx+ImVLb51nvxJ6ZHfwuEm7bHppTun9oA="
onerror="bad_valid302Blocked()"
onload="good_valid302Loaded()"></script>
<!-- invalid sha256 after a redirection. should trigger onerror -->
<script src="script_302.js"
integrity="sha256-JSi74NSN8WQNr9syBGmNg2APJp9PnHUO5ioZo5hmIiQ="
onerror="good_invalid302Blocked()"
onload="bad_invalid302Loaded()"></script>
<!-- valid sha256 for a blob: URL -->
<script>
var blob = new Blob(["console.log('blob:valid');"],
{type:"application/javascript"});
var script = document.createElement('script');
script.setAttribute('src', URL.createObjectURL(blob));
script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ=');
script.onerror = bad_validBlobBlocked;
script.onload = good_validBlobLoaded;
var head = document.getElementsByTagName('head').item(0);
head.appendChild(script);
</script>
<!-- invalid sha256 for a blob: URL -->
<script>
var blob = new Blob(["console.log('blob:invalid');"],
{type:"application/javascript"});
var script = document.createElement('script');
script.setAttribute('src', URL.createObjectURL(blob));
script.setAttribute('integrity', 'sha256-AwLdXiGfCqOxOXDPUim73G8NVEL34jT0IcQR/tqv/GQ=');
script.onerror = good_invalidBlobBlocked;
script.onload = bad_invalidBlobLoaded;
var head = document.getElementsByTagName('head').item(0);
head.appendChild(script);
</script>
<p id="display"></p>
<div id="content" style="display: none">
</div>
<pre id="test">
</pre>
</body>
</html>
|