File: header-component.window.js

package info (click to toggle)
firefox 144.0-1
  • links: PTS, VCS
  • area: main
  • in suites: sid
  • size: 4,637,504 kB
  • sloc: cpp: 7,576,692; javascript: 6,430,831; ansic: 3,748,119; python: 1,398,978; xml: 628,810; asm: 438,679; java: 186,194; sh: 63,212; makefile: 19,159; objc: 13,086; perl: 12,986; yacc: 4,583; cs: 3,846; pascal: 3,448; lex: 1,720; ruby: 1,003; exp: 762; php: 436; lisp: 258; awk: 247; sql: 66; sed: 53; csh: 10
file content (100 lines) | stat: -rw-r--r-- 4,821 bytes parent folder | download | duplicates (5) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
 
// META: script=helper.js

// The following tests validate the behavior of arbitrary header components in
// signatures. They rely on the test key from
// https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key
//
// TODO: Replace the placeholder signatures below with real signatures.

const kBody = "window.hello = `world`;";
const kDigest = "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:";

const kSignatures = {
  // Signature Base:
  // "content-type": application/javascript
  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
  // "@signature-params": ("content-type" "unencoded-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
  ct_then_digest: "signature=:a5uYGT79upHlmAkq3PsPHr1xz5AXjqmjVbOr38e8HW94+YqthWLjPeYVRYkYprb0zDqrreptOB4m5d148uWAAQ==:",

  // Signature Base:
  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
  // "content-type": application/javascript
  // "@signature-params": ("unencoded-digest";sf "content-type");keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
  digest_then_ct: "signature=:OuJoPVjT+cucaPpFGs3hyhdOGcEEgCAaLefYWCwEGdsBFunmFAT6hbMTg/vmhLM3raZKKzWqjFkzinWtia8fAA==:",

  // Signature Base:
  // "content-type": application/javascript
  // "x-extra-header": some-value
  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
  // "@signature-params": ("content-type" "x-missing-header" "unencoded-digest";sf);keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
  with_extra_header: "signature=:9UFhYYWqUSxadNI4vyPSln1deZGswee7DpRg761SaORKykyewqhD6pEPJBXfEaV9wJrqgq4Nq+oJb2Pe25TjDA==:",
};

const kRequestsWithValidSignature = [
  {
    body: kBody,
    digest: kDigest,
    signature: kSignatures.ct_then_digest,
    signatureInput: `signature=("content-type" "unencoded-digest";sf);keyid="${kValidKeys["rfc"]}";tag="sri"`
  },
  {
    body: kBody,
    digest: kDigest,
    signature: kSignatures.digest_then_ct,
    signatureInput: `signature=("unencoded-digest";sf "content-type");keyid="${kValidKeys["rfc"]}";tag="sri"`
  }
];

for (const request of kRequestsWithValidSignature) {
    // fetch():
    generate_fetch_test(request, {}, EXPECT_LOADED,
                        `Valid signature (${request.signatureInput}), no integrity check: loads.`);
    generate_fetch_test(request, {integrity:`ed25519-${kValidKeys["rfc"]}`}, EXPECT_LOADED,
                        `Valid signature (${request.signatureInput}), matching integrity check: loads.`);
    generate_fetch_test(request, {integrity:`ed25519-${kInvalidKey}`}, EXPECT_BLOCKED,
                        `Valid signature (${request.signatureInput}), mismatched integrity check: blocked.`);

    // <script>:
    generate_script_test(request, "", EXPECT_LOADED,
                        `Valid signature (${request.signatureInput}), no integrity check: loads.`);
    generate_script_test(request, `ed25519-${kValidKeys["rfc"]}`, EXPECT_LOADED,
                        `Valid signature (${request.signatureInput}), matching integrity check: loads.`);
    generate_script_test(request, `ed25519-${kInvalidKey}`, EXPECT_BLOCKED,
                        `Valid signature (${request.signatureInput}), mismatched integrity check: blocked.`);
}

// Test cases for failure
const kFailingRequests = [
    // Valid signature, but the "content-type" header value does not match what is signed.
    {
        body: kBody,
        digest: kDigest,
        signature: kSignatures.digest_then_ct,
        signatureInput: `signature=("unencoded-digest";sf "content-type");keyid="${kValidKeys["rfc"]}";tag="sri"`,
        type: "text/plain", // The signature was for "application/javascript"
        description: "Mismatched header value"
    },
    // Valid signature, but a signed header is missing from the response.
    {
        body: kBody,
        digest: kDigest,
        signature: kSignatures.with_extra_header,
        signatureInput: `signature=("content-type" "x-extra-header" "unencoded-digest";sf);keyid="${kValidKeys["rfc"]}";tag="sri"`,
        description: "Missing signed header"
    }
];

for (const request of kFailingRequests) {
    const description = request.description;
    // fetch():
    generate_fetch_test(request, {}, EXPECT_BLOCKED,
                        `${description}: blocked.`);
    generate_fetch_test(request, {integrity:`ed25519-${kValidKeys["rfc"]}`}, EXPECT_BLOCKED,
                        `${description} with matching integrity: blocked.`);

    // <script>:
    generate_script_test(request, "", EXPECT_BLOCKED,
                        `${description}: blocked.`);
    generate_script_test(request, `ed25519-${kValidKeys["rfc"]}`, EXPECT_BLOCKED,
                        `${description} with matching integrity: blocked.`);
}