Bug 1497158 [wpt PR 13386] - Added tests to ensure that script blocks are converted to utf-8 before hashing, a=testonly
authorAndy Paicu <andypaicu@chromium.org>
Thu, 11 Oct 2018 09:32:11 +0000
changeset 496788 8f3fb46ce24eabd084bcb800195189ae2701b90c
parent 496787 26de403c4e08df164aeaa2f9868fb3f727b53427
child 496789 48ded72d05a229249f1a3087872507385831b5c4
push id9984
push userffxbld-merge
push dateMon, 15 Oct 2018 21:07:35 +0000
treeherdermozilla-beta@183d27ea8570 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewerstestonly
bugs1497158, 13386, 892570, 1264536, 597836
milestone64.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1497158 [wpt PR 13386] - Added tests to ensure that script blocks are converted to utf-8 before hashing, a=testonly Automatic update from web-platform-testsAdded tests to ensure that script blocks are converted to utf-8 before hashing https://github.com/w3c/webappsec-csp/issues/109 Bug: 892570 Change-Id: I52d0ff8ab6abd58de9503992f44ea42df50cb6b7 Reviewed-on: https://chromium-review.googlesource.com/c/1264536 Reviewed-by: Mike West <mkwst@chromium.org> Commit-Queue: Andy Paicu <andypaicu@chromium.org> Cr-Commit-Position: refs/heads/master@{#597836} -- wpt-commits: df87b8cec08c733bcde8f845a200afcf2c28e799 wpt-pr: 13386
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html.sub.headers
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html.sub.headers
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html.sub.headers
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html.sub.headers
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html.sub.headers
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html
testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html.sub.headers
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-c6TzhBw/snA+hlDMGOuKLWXIkb2sawA/S1wbSe6FeEM=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t1 = async_test("Should convert the script contents to UTF-8 before hashing");
+      window.addEventListener("securitypolicyviolation", t1.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- � (micro sign) has the value of 0xB5 in latin-1 and of 0xC2B5 in utf-8 but the hash value should be the same as the utf-8 computed one -->
+    <script>
+      // � - latin micro sign
+      t1.done();
+    </script>
+</body>
+</html>
+
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-1.html.sub.headers
@@ -0,0 +1,1 @@
+Content-Type: text/html; charset=iso-8859-1
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-hbNM6T3uO5pu4o5YfNnUmwtq5VHHMr7V5ospXtx9bqU=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t3 = async_test("Should convert the script contents to UTF-8 before hashing");
+      window.addEventListener("securitypolicyviolation", t3.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- � (latin capital letter g with breve) has the value of 0xAB in latin-3 and of 0xC49E in utf-8 but the hash value should be the same as the utf-8 computed one -->
+    <script>
+      // � - latin capital letter g with breve
+      t3.done();
+    </script>
+</body>
+</html>
+
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-3.html.sub.headers
@@ -0,0 +1,1 @@
+Content-Type: text/html; charset=iso-8859-3
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-ST0rpskqtEC0Q0hqbIAZFeE1KBMJeGZGyYaTcTkieG8=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t2 = async_test("Should convert the script contents to UTF-8 before hashing");
+      window.addEventListener("securitypolicyviolation", t2.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- � (greek small letter mu) has the value of 0xEC in latin-7 and of 0xCEBC in utf-8 but the hash value should be the same as the utf-8 computed one -->
+    <script>
+      // � - greek small letter mu
+      t2.done();
+    </script>
+</body>
+</html>
+
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-7.html.sub.headers
@@ -0,0 +1,1 @@
+Content-Type: text/html; charset=iso-8859-7
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html
@@ -0,0 +1,20 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-hbNM6T3uO5pu4o5YfNnUmwtq5VHHMr7V5ospXtx9bqU=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t3 = async_test("Should convert the script contents to UTF-8 before hashing");
+      window.addEventListener("securitypolicyviolation", t3.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- � (latin capital letter g with breve) has the value of 0xD0 in latin-9 and of 0xC49E in utf-8 but the hash value should be the same as the utf-8 computed one -->
+    <script>
+      // � - latin capital letter g with breve
+      t3.done();
+    </script>
+</body>
+</html>
+
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/iso-8859-9.html.sub.headers
@@ -0,0 +1,1 @@
+Content-Type: text/html; charset=iso-8859-9
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html
@@ -0,0 +1,31 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc' 'sha256-YJSaNEZFStZqU2Mp2EttwhcP2aT9lnDvexn+BM2HfKo=';">
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t = async_test("Should convert the script contents to UTF-8 before hashing");
+      var count = 0;
+      var script_ran = function() {
+        // if both blocks run the tests is succsssful
+        if (++count == 2) t.done();
+      }
+      window.addEventListener("securitypolicyviolation", t.unreached_func("Should not have fired a spv"));
+
+      // Insert a script element that contains the U+FFFD replacement character
+      var scr1 = document.createElement('script');
+      scr1.text ="//\uFFFD\nscript_ran();";
+      document.body.appendChild(scr1);
+
+      // Insert a script element that contains a surrogate character but it otherwise
+      // entirely identical to the previously inserted one, the surrogate should be
+      // be converted to U+FFFD when converting to UTF-8 so it should have the
+      // same hash as the one inserted before
+      var scr2 = document.createElement('script');
+      scr2.text ="//\uD801\nscript_ran();";
+      document.body.appendChild(scr2);
+    </script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8-lone-surrogate.html.sub.headers
@@ -0,0 +1,1 @@
+Content-Type: text/html; charset=utf-8
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html
@@ -0,0 +1,36 @@
+<html>
+<head>
+    <meta http-equiv="Content-Security-Policy" content="script-src 'self' 'nonce-abc'
+          'sha256-c6TzhBw/snA+hlDMGOuKLWXIkb2sawA/S1wbSe6FeEM='
+          'sha256-ST0rpskqtEC0Q0hqbIAZFeE1KBMJeGZGyYaTcTkieG8='
+          'sha256-hbNM6T3uO5pu4o5YfNnUmwtq5VHHMr7V5ospXtx9bqU=';">
+          <!-- hashes matching the 3 script blocks below -->
+    <script src='/resources/testharness.js'></script>
+    <script src='/resources/testharnessreport.js'></script>
+</head>
+<body>
+    <script nonce="abc">
+      var t1 = async_test("Should convert the script contents to UTF-8 before hashing - latin micro sign");
+      window.addEventListener("securitypolicyviolation", t1.unreached_func("Should not have fired a spv"));
+      var t2 = async_test("Should convert the script contents to UTF-8 before hashing - greek small letter mu");
+      window.addEventListener("securitypolicyviolation", t2.unreached_func("Should not have fired a spv"));
+      var t3 = async_test("Should convert the script contents to UTF-8 before hashing - latin capital letter g with breve");
+      window.addEventListener("securitypolicyviolation", t3.unreached_func("Should not have fired a spv"));
+    </script>
+
+    <!-- the hash values of these script blocks should match the same values
+         of identical script blocks in documents with other encodings -->
+    <script>
+      // µ - latin micro sign
+      t1.done();
+    </script>
+    <script>
+      // μ - greek small letter mu
+      t2.done();
+    </script>
+    <script>
+      // Ğ - latin capital letter g with breve
+      t3.done();
+    </script>
+</body>
+</html>
new file mode 100644
--- /dev/null
+++ b/testing/web-platform/tests/content-security-policy/script-src/hash-always-converted-to-utf-8/utf-8.html.sub.headers
@@ -0,0 +1,1 @@
+Content-Type: text/html; charset=utf-8