Bug 1964703 [wpt PR 52360] - Integrity-Policy for script destinations,

Yoav Weiss · lutien · commit ba8060c5bbfe · 2025-05-14T15:54:40.000Z
Automatic update from web-platform-tests Integrity-Policy for script destinations This adds support for Integrity-Policy instead of `require-sri-for`, based on [1]. [1] w3c/webappsec-subresource-integrity#133 I2S: https://groups.google.com/a/chromium.org/g/blink-dev/c/Q304_OkDAZA/m/b3Bnyab9DgAJ Change-Id: I9599280eb94045951351368d2531d25c32c15681 Bug: 412588111 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6408111 Reviewed-by: Camille Lamy <clamy@chromium.org> Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org> Reviewed-by: Antonio Sartori <antoniosartori@chromium.org> Reviewed-by: Adam Rice <ricea@chromium.org> Cr-Commit-Position: refs/heads/main@{#1456383} -- wpt-commits: 58c8754f2d64eda3c04c7afecca2be6799484f5b wpt-pr: 52360 Differential Revision: https://phabricator.services.mozilla.com/D249270
diff --git a/testing/web-platform/tests/subresource-integrity/tentative/integrity-policy/parsing.https.html b/testing/web-platform/tests/subresource-integrity/tentative/integrity-policy/parsing.https.html
@@ -0,0 +1,108 @@
+<!doctype html>
+<head>
+  <meta name="timeout" content="long">
+  <script src="/resources/testharness.js"></script>
+  <script src="/resources/testharnessreport.js"></script>
+  <script src="/common/dispatcher/dispatcher.js"></script>
+  <script src="/common/utils.js"></script>
+</head>
+<body>
+<script>
+  const run_test = (test_case) => {
+    promise_test(async () => {
+      const REMOTE_EXECUTOR =
+        `/common/dispatcher/remote-executor.html?pipe=`;
+      const iframe_uuid = token();
+
+      const header_name = "Integrity-Policy";
+      const header = `header(${header_name},${test_case.header_value})`;
+      const iframe_url =
+        `${REMOTE_EXECUTOR}${encodeURIComponent(header)}&uuid=${iframe_uuid}`;
+
+      const iframe = document.createElement('iframe');
+      iframe.src = iframe_url;
+      document.body.appendChild(iframe);
+
+      // Execute code directly from the iframe.
+      const ctx = new RemoteContext(iframe_uuid);
+      const result = await ctx.execute_script(async (test_case) => {
+        const resource_url = "/content-security-policy/resources/ran.js";
+        let report_observed_promise;
+
+        // Load a script with no integrity. If there's a policy in place, it
+        // would be blocked.
+        const loaded = await new Promise(resolve => {
+          const script = document.createElement('script');
+          script.onload = () => { resolve(true); };
+          script.onerror = () => { resolve(false); };
+          script.src = resource_url;
+          document.body.appendChild(script);
+        });
+        return { blocked: !loaded, ran: window.ran };
+      }, [test_case]);
+
+      assert_equals(!result.blocked, !!result.ran);
+      assert_equals(result.blocked, test_case.expected.blocked);
+    }, test_case.description);
+  };
+
+  const test_cases = [
+    {
+      description: "Ensure that test is working with a valid destination",
+      header_value: "blocked-destinations=\\(script\\)",
+      expected: {blocked: true},
+    },
+    {
+      description: "Ensure that test is working with a valid destination and source",
+      header_value: "blocked-destinations=\\(script\\)\\, sources=\\(inline\\)",
+      expected: {blocked: true},
+    },
+    {
+      description: "Ensure that an empty header does not block",
+      header_value: "",
+      expected: {blocked: false},
+    },
+    {
+      description: "Ensure that a destination header with a token value does not parse",
+      header_value: "blocked-destinations=script",
+      expected: {blocked: false},
+    },
+    {
+      description: "Ensure that a destination header with an inner list of strings does not parse",
+      header_value: 'blocked-destinations=\\("script"\\)',
+      expected: {blocked: false},
+    },
+    {
+      description: "Ensure that a destination header with an inner list of single-quote strings does not parse",
+      header_value: "blocked-destinations=\\('script'\\)",
+      expected: {blocked: false},
+    },
+    {
+      description: "Ensure that a destination header with an unclosed inner list does not parse",
+      header_value: "blocked-destinations=\\(script",
+      expected: {blocked: false},
+    },
+    {
+      description: "Ensure that a destination header with a malformed inner list does not parse",
+      header_value: "blocked-destinations=\\(script\\,style\\)",
+      expected: {blocked: false},
+    },
+    {
+      description: "Ensure that an unknown destination does not enforce a policy",
+      header_value: "blocked-destinations=\\(style\\)",
+      expected: {blocked: false},
+    },
+    {
+      description: "Ensure that an unknown source causes the policy to not be enforced",
+      header_value: "blocked-destinations=\\(script\\)\\, sources=\\(telepathy\\)",
+      expected: {blocked: false},
+    },
+    {
+      description: "Ensure that an invalid source causes the policy to not be enforced",
+      header_value: "blocked-destinations=\\(script\\)\\, sources=\\(invalid",
+      expected: {blocked: false},
+    },
+  ];
+  test_cases.map(run_test);
+</script>
+
diff --git a/testing/web-platform/tests/subresource-integrity/tentative/integrity-policy/script.https.html b/testing/web-platform/tests/subresource-integrity/tentative/integrity-policy/script.https.html
@@ -0,0 +1,160 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+
+<body>
+<script>
+  const {ORIGIN} = get_host_info();
+  const getAbsoluteUrl = url => {
+    return new URL(url, window.location.href).href;
+  }
+
+  const run_test = (test_case) => {
+    promise_test(async () => {
+      const REMOTE_EXECUTOR =
+        `/common/dispatcher/remote-executor.html?pipe=`;
+      const iframe_uuid = token();
+
+      const header_name = test_case.report_only ?
+        "Integrity-Policy-Report-Only" :
+        "Integrity-Policy";
+
+      const header =
+        `header(${header_name},blocked-destinations=\\(script\\)\\, endpoints=\\(integrity-endpoint\\))`;
+      const iframe_url = `${REMOTE_EXECUTOR}${encodeURIComponent(header)}&uuid=${iframe_uuid}`;
+
+      const iframe = document.createElement('iframe');
+      iframe.src = iframe_url;
+      document.body.appendChild(iframe);
+
+      // Execute code directly from the iframe.
+      const ctx = new RemoteContext(iframe_uuid);
+      const result = await ctx.execute_script(async (test_case) => {
+        // Load the script
+        await new Promise(resolve => {
+          const script = document.createElement('script');
+          if (test_case.cross_origin) {
+            script.crossOrigin="anonymous";
+          }
+          if (test_case.integrity) {
+            script.integrity = test_case.integrity;
+          }
+          script.onload = () => { resolve(test_case.url); };
+          script.onerror = () => { resolve(test_case.url); };
+          script.src = test_case.url;
+          document.body.appendChild(script);
+        });
+        return { ran: window.ran };
+      }, [test_case]);
+      assert_equals(!!result.ran, test_case.expected.ran);
+    }, test_case.description);
+  };
+
+  const blob = new Blob([`window.ran=true;`],
+                        { type: 'application/javascript' });
+
+  const blob_url = URL.createObjectURL(blob);
+
+  // Generated using https://sha2.it/ed25519.html (In Chrome Canary, with Experimental Web Platform Features enabled)
+  const signature = encodeURIComponent(
+    'header(Unencoded-Digest, sha-384=:tqyFpeo21WFM8HDeUtLqH20GUq\/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak:)' +
+    '|header(Signature-Input, signature=\\("unencoded-digest";sf\\); keyid="JrQLj5P\/89iXES9+vFgrIy29clF9CC\/oPPsw3c5D0bs="; tag="sri")' +
+    '|header(Signature, signature=:qM19uLskHm2TQG5LJcH/hY0n0BWWzYOJztVWYlwk0cZb3u0JdgUMre1J4Jn8Tma0x2u5/kPBfbXRMbB+X+vTBw==:)');
+
+  const test_cases = [
+    {
+      description: "Ensure that a script without integrity did not run",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: true,
+      integrity: "",
+      should_block: true,
+      report_only: false,
+      expected: {blocked: ORIGIN + "/content-security-policy/resources/ran.js", ran: false },
+    },
+    {
+      description: "Ensure that a script with unknown integrity algorithm did not run",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: true,
+      integrity: "foobar-AAAAAAAAAAAAAAAAAAAa",
+      should_block: true,
+      report_only: false,
+      expected: {blocked: ORIGIN + "/content-security-policy/resources/ran.js", ran: false },
+    },
+    {
+      description: "Ensure that a script without integrity algorithm runs and gets reported in report-only mode",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: true,
+      integrity: "",
+      should_block: true,
+      report_only: true,
+      expected: {blocked: ORIGIN + "/content-security-policy/resources/ran.js", ran: true },
+    },
+    {
+      description: "Ensure that a no-cors script gets blocked",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: false,
+      integrity: "sha384-tqyFpeo21WFM8HDeUtLqH20GUq/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak",
+      should_block: true,
+      report_only: false,
+      expected: {blocked: ORIGIN + "/content-security-policy/resources/ran.js", ran: false },
+    },
+    {
+      description: "Ensure that a script with integrity runs",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: true,
+      integrity: "sha384-tqyFpeo21WFM8HDeUtLqH20GUq/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak",
+      should_block: false,
+      report_only: false,
+      expected: {blocked: "", ran: true },
+    },
+    {
+      description: "Ensure that a script with signature integrity runs",
+      url: "/content-security-policy/resources/ran.js?pipe=" + signature,
+      cross_origin: true,
+      integrity: "ed25519-JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=",
+      should_block: false,
+      report_only: false,
+      expected: {blocked: "", ran: true },
+    },
+    {
+      description: "Ensure that a data URI script with no integrity runs",
+      url: "data:application/javascript,window.ran=true",
+      cross_origin: true,
+      integrity: "",
+      should_block: false,
+      report_only: false,
+      expected: {blocked: "", ran: true },
+    },
+    {
+      description: "Ensure that a no-CORS data URI script with no integrity runs",
+      url: "data:application/javascript,window.ran=true",
+      cross_origin: false,
+      integrity: "",
+      should_block: false,
+      report_only: false,
+      expected: {blocked: "", ran: true },
+    },
+    {
+      description: "Ensure that a blob URL script with no integrity runs",
+      url: blob_url,
+      cross_origin: true,
+      integrity: "",
+      should_block: false,
+      report_only: false,
+      expected: {blocked: "", ran: true },
+    },
+    {
+      description: "Ensure that a no-CORS blob URL script with no integrity runs",
+      url: blob_url,
+      cross_origin: false,
+      integrity: "",
+      should_block: false,
+      report_only: false,
+      expected: {blocked: "", ran: true },
+    }
+  ];
+  test_cases.map(run_test);
+</script>
