Bug 1956062 [wpt PR 51556] - [SRI Message Signatures] Accept unknown parameters., a=testonly

mikewest · moz-wptsync-bot · commit 20459204a29c · 2025-03-26T09:40:46.000Z
Automatic update from web-platform-tests [SRI Message Signatures] Accept unknown parameters. After discussion in WICG/signature-based-sri#38, the specification has shifted to accept unknown parameters for forward compat[1]. Our implementation should do the same. [1]: WICG/signature-based-sri@65bbd5b Bug: 405793111 Change-Id: Ieff7f56eeb76048b73978714fca9d3635a89e81e Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6382317 Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Cr-Commit-Position: refs/heads/main@{#1436906} -- wpt-commits: a40853676ebb1e890ca33c5db2c1ebc468c51935 wpt-pr: 51556
diff --git a/testing/web-platform/tests/subresource-integrity/signatures/tentative/unknown-parameter.window.js b/testing/web-platform/tests/subresource-integrity/signatures/tentative/unknown-parameter.window.js
@@ -0,0 +1,73 @@
+// META: script=helper.js
+
+// The following tests validate the behavior of unknown signature parameters.
+// They'll all be rooted in the following response, generated using the steps at
+// https://wicg.github.io/signature-based-sri/#examples, relying on the test
+// key from https://www.rfc-editor.org/rfc/rfc9421.html#name-example-ed25519-test-key:
+//
+// ```
+// NOTE: '\' line wrapping per RFC 8792
+//
+// HTTP/1.1 200 OK
+// Date: Tue, 20 Apr 2021 02:07:56 GMT
+// Content-Type: application/json
+// Unencoded-Digest: sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
+// Content-Length: 18
+// Signature-Input: signature=("unencoded-digest";sf "@status"); \
+//                  keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";       \
+//                  tag="sri"
+// Signature: signature=:oVQ+s/OqXLAVdfvgZ3HaPiyzkpNXZSit9l6e1FB/gOOL3t8FOrIRDV \
+//                       CkcIEcJjd3MA1mROn39/WQShTmnKmlDg==:
+//
+//
+// {"hello": "world"}
+// ```
+
+// Metadata from the response above:
+const kRequestsWithValidSignature = [
+  // ```
+  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
+  // "@signature-params": ("unencoded-digest";sf "@status");keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri";unknown=1
+  // ```
+  {
+    body: "window.hello = `world`;",
+    digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:",
+    signature: `signature=:eZ2DGIHUsTNMxFReOMkbOrTmn+CqDckCZ5/635x1Apl2ws0nA+qZcHqZFMdjBvcGw0WElh3zYD0ynkQ+cHiWCA==:`,
+    signatureInput: `signature=("unencoded-digest";sf);keyid="${kValidKeys['rfc']}";tag="sri";unknown=1`
+  },
+  // ```
+  // "unencoded-digest";sf: sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:
+  // "@signature-params": ("unencoded-digest";sf "@status");unknown=1;keyid="JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=";tag="sri"
+  // ```
+  {
+    body: "window.hello = `world`;",
+    digest: "sha-256=:PZJ+9CdAAIacg7wfUe4t/RkDQJVKM0mCZ2K7qiRhHFc=:",
+    signature: `signature=:YXQH8lkKBcGOMNSFbS56j3d5nK3j15HbFPIdsljzQVGFFd93T6FmXb2cLsoINYQbnMUOQBSROIzFZpgUQTBTBA==:`,
+    signatureInput: `signature=("unencoded-digest";sf);unknown=1;keyid="${kValidKeys['rfc']}";tag="sri"`
+  },
+];
+
+// Valid signatures depend upon integrity checks.
+//
+// We're testing our handling of malformed and multiple keys generally in
+// the broader `client-initiated.*` tests. Here we'll just focus on ensuring
+// that responses with unknown parameters load at all (no integrity check),
+// load when integrity checks match, and fail when integrity checks mismatch.
+for (const request of kRequestsWithValidSignature) {
+    // fetch():
+    generate_fetch_test(request, {}, EXPECT_LOADED,
+                        `Valid signature (${request.signature}), no integrity check: loads.`);
+    generate_fetch_test(request, {integrity:`ed25519-${kValidKeys['rfc']}`}, EXPECT_LOADED,
+                        `Valid signature (${request.signature}), matching integrity check: loads.`);
+
+    generate_fetch_test(request, {integrity:`ed25519-${kInvalidKey}`}, EXPECT_BLOCKED,
+                        `Valid signature (${request.signature}), mismatched integrity check: blocked.`);
+
+    // <script>:
+    generate_script_test(request, "", EXPECT_LOADED,
+                        `Valid signature (${request.signature}), no integrity check: loads.`);
+    generate_script_test(request, `ed25519-${kValidKeys['rfc']}`, EXPECT_LOADED,
+                        `Valid signature (${request.signature}), matching integrity check: loads.`);
+    generate_script_test(request, `ed25519-${kInvalidKey}`, EXPECT_BLOCKED,
+                        `Valid signature (${request.signature}), mismatched integrity check: blocked.`);
+}
