TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin) { document->updateSecurityOrigin(secureOrigin->isolatedCopy()); // Verify basic sha256, sha384, and sha512 integrity checks. expectIntegrity(kSha256Integrity, kBasicScript, strlen(kBasicScript), secureURL, secureURL); expectIntegrity(kSha256IntegrityLenientSyntax, kBasicScript, strlen(kBasicScript), secureURL, secureURL); expectIntegrity(kSha384Integrity, kBasicScript, strlen(kBasicScript), secureURL, secureURL); expectIntegrity(kSha512Integrity, kBasicScript, strlen(kBasicScript), secureURL, secureURL); // Verify multiple hashes in an attribute. expectIntegrity(kSha256AndSha384Integrities, kBasicScript, strlen(kBasicScript), secureURL, secureURL); expectIntegrity(kBadSha256AndGoodSha384Integrities, kBasicScript, strlen(kBasicScript), secureURL, secureURL); // The hash label must match the hash value. expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, strlen(kBasicScript), secureURL, secureURL); // With multiple values, at least one must match, and it must be the // strongest hash algorithm. expectIntegrityFailure(kGoodSha256AndBadSha384Integrities, kBasicScript, strlen(kBasicScript), secureURL, secureURL); expectIntegrityFailure(kBadSha256AndBadSha384Integrities, kBasicScript, strlen(kBasicScript), secureURL, secureURL); // Unsupported hash functions should succeed. expectIntegrity(kUnsupportedHashFunctionIntegrity, kBasicScript, strlen(kBasicScript), secureURL, secureURL); // All parameters are fine, and because this is not cross origin, CORS is // not needed. expectIntegrity(kSha256Integrity, kBasicScript, strlen(kBasicScript), secureURL, secureURL, NoCors); // Options should be ignored expectIntegrity(kSha256IntegrityWithEmptyOption, kBasicScript, strlen(kBasicScript), secureURL, secureURL, NoCors); expectIntegrity(kSha256IntegrityWithOption, kBasicScript, strlen(kBasicScript), secureURL, secureURL, NoCors); expectIntegrity(kSha256IntegrityWithOptions, kBasicScript, strlen(kBasicScript), secureURL, secureURL, NoCors); expectIntegrity(kSha256IntegrityWithMimeOption, kBasicScript, strlen(kBasicScript), secureURL, secureURL, NoCors); }
TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin) { // The same checks as CheckSubresourceIntegrityInSecureOrigin should fail here. document->updateSecurityOrigin(insecureOrigin->isolatedCopy()); expectIntegrityFailure(kSha256Integrity, kBasicScript, secureURL); expectIntegrityFailure(kSha384Integrity, kBasicScript, secureURL); expectIntegrityFailure(kSha512Integrity, kBasicScript, secureURL); expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL); expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL); }
TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInSecureOrigin) { document->updateSecurityOrigin(secureOrigin->isolatedCopy()); // Verify basic sha256, sha384, and sha512 integrity checks. expectIntegrity(kSha256Integrity, kBasicScript, secureURL); expectIntegrity(kSha384Integrity, kBasicScript, secureURL); expectIntegrity(kSha512Integrity, kBasicScript, secureURL); // The hash label must match the hash value. expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, secureURL); // Unsupported hash functions should fail. expectIntegrityFailure(kUnsupportedHashFunctionIntegrity, kBasicScript, secureURL); }
TEST_F(SubresourceIntegrityTest, CheckSubresourceIntegrityInInsecureOrigin) { // The same checks as CheckSubresourceIntegrityInSecureOrigin should pass // here, with the expection of the NoCors check at the end. document->updateSecurityOrigin(insecureOrigin->isolatedCopy()); expectIntegrity(kSha256Integrity, kBasicScript, strlen(kBasicScript), secureURL, insecureURL); expectIntegrity(kSha256IntegrityLenientSyntax, kBasicScript, strlen(kBasicScript), secureURL, insecureURL); expectIntegrity(kSha384Integrity, kBasicScript, strlen(kBasicScript), secureURL, insecureURL); expectIntegrity(kSha512Integrity, kBasicScript, strlen(kBasicScript), secureURL, insecureURL); expectIntegrityFailure(kSha384IntegrityLabeledAs256, kBasicScript, strlen(kBasicScript), secureURL, insecureURL); expectIntegrity(kUnsupportedHashFunctionIntegrity, kBasicScript, strlen(kBasicScript), secureURL, insecureURL); expectIntegrity(kSha256AndSha384Integrities, kBasicScript, strlen(kBasicScript), secureURL, insecureURL); expectIntegrity(kBadSha256AndGoodSha384Integrities, kBasicScript, strlen(kBasicScript), secureURL, insecureURL); expectIntegrityFailure(kSha256Integrity, kBasicScript, strlen(kBasicScript), secureURL, insecureURL, NoCors); expectIntegrityFailure(kGoodSha256AndBadSha384Integrities, kBasicScript, strlen(kBasicScript), secureURL, insecureURL); }