1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
|
<!DOCTYPE html>
<meta http-equiv="Content-Security-Policy"
content="script-src 'unsafe-inline' 'nonce-abcd' 'ed25519-qGFmwTxlocg707D1cX4w60iTwtfwbMLf8ITDyfko7s0='">
<title>Subresource Integrity with Ed25519 plus Content Security Policy</title>
<script src="/resources/testharness.js" nonce="abcd"></script>
<script src="/resources/testharnessreport.js" nonce="abcd"></script>
<script src="/resources/sriharness.js" nonce="abcd"></script>
<div id="log"></div>
<div id="container"></div>
<script nonce="abcd">
// This needs to be the same key as in this doc's content security policy.
var public_key = "qGFmwTxlocg707D1cX4w60iTwtfwbMLf8ITDyfko7s0=";
new SRIScriptTest(
true,
"Ed25519-with-CSP, passes, valid key, valid signature.",
"ed25519-signature.js",
"ed25519-" + public_key
).execute();
new SRIScriptTest(
false,
"Ed25519-with-CSP, fails, valid key, invalid signature.",
"ed25519-broken-signature.js",
"ed25519-" + public_key
).execute();
// The first of these uses the nonce rather than the signature to pass CSP.
// That doesn't test anything useful about the Ed25519 feature, but is here
// to test the precondition for the next test. So if this test passes and
// the second one fails, then we can be sure that the 2nd test failed only
// because of the CSP key mismatch, as that's the only difference between
// the tests.
var key_not_in_csp = "5MVHFfs/9Ri+YSwH4FwneSFp88t1ljryPoLxdiyTKks=";
new SRIScriptTest(
true,
"Ed25519-with-CSP, passes, alternative key.",
"ed25519-signature2.js",
"ed25519-" + key_not_in_csp,
/* cross origin */ undefined,
/* nonce */ "abcd").execute();
new SRIScriptTest(
false,
"Ed25519-with-CSP, fails, valid key, valid signature, key not in CSP.",
"ed25519-signature2.js",
"ed25519-" + key_not_in_csp,
).execute();
</script>
|
