wpt: add integrity.sub.any.js

Author: KhafraDev

lib/fetch/util.js

@@ -532,8 +532,11 @@ function bytesMatch (bytes, metadataList) {
 
   // 4. Let metadata be the result of getting the strongest
   //    metadata from parsedMetadata.
-  // Note: this will only work for SHA- algorithms and it's lazy *at best*.
-  const metadata = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo))
+  const list = parsedMetadata.sort((c, d) => d.algo.localeCompare(c.algo))
+  // get the strongest algorithm
+  const strongest = list[0].algo
+  // get all entries that use the strongest algorithm; ignore weaker
+  const metadata = list.filter((item) => item.algo === strongest)
 
   // 5. For each item in metadata:
   for (const item of metadata) {
@@ -559,10 +562,9 @@ function bytesMatch (bytes, metadataList) {
 }
 
 // https://w3c.github.io/webappsec-subresource-integrity/#grammardef-hash-with-options
-// hash-algo is defined in Content Security Policy 2 Section 4.2
-// base64-value is similary defined there
-// VCHAR is defined https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
-const parseHashWithOptions = /((?<algo>sha256|sha384|sha512)-(?<hash>[A-z0-9+/]{1}.*={1,2}))( +[\x21-\x7e]?)?/i
+// https://www.w3.org/TR/CSP2/#source-list-syntax
+// https://www.rfc-editor.org/rfc/rfc5234#appendix-B.1
+const parseHashWithOptions = /((?<algo>sha256|sha384|sha512)-(?<hash>[A-z0-9+/]{1}.*={0,2}))( +[\x21-\x7e]?)?/i
 
 /**
  * @see https://w3c.github.io/webappsec-subresource-integrity/#parse-metadata

test/wpt/runner/runner/runner.mjs

@@ -81,7 +81,9 @@ export class WPTRunner extends EventEmitter {
     const workerPath = fileURLToPath(join(import.meta.url, '../worker.mjs'))
 
     for (const test of this.#files) {
-      const code = readFileSync(test, 'utf-8')
+      const code = test.includes('.sub.')
+        ? handlePipes(readFileSync(test, 'utf-8'), this.#url)
+        : readFileSync(test, 'utf-8')
       const meta = this.resolveMeta(code, test)
 
       const worker = new Worker(workerPath, {

test/wpt/runner/runner/util.mjs

@@ -110,7 +110,7 @@ export function handlePipes (code, url) {
       // "The port number of servers, by protocol e.g. {{ports[http][0]}}
       //  for the first (and, depending on setup, possibly only) http server"
       case 'ports': {
-        return server.port
+        return `${server.port}/`
       }
       default: {
         throw new TypeError(`Unknown substitute "${sub}".`)

test/wpt/server/server.mjs

@@ -31,6 +31,7 @@ const server = createServer(async (req, res) => {
   const fullUrl = new URL(req.url, `http://localhost:${server.address().port}`)
 
   switch (fullUrl.pathname) {
+    case '/fetch/api/resources/top.txt':
     case '/mimesniff/mime-types/resources/generated-mime-types.json':
     case '/mimesniff/mime-types/resources/mime-types.json':
     case '/interfaces/dom.idl':
@@ -222,6 +223,11 @@ const server = createServer(async (req, res) => {
     case '/fetch/connection-pool/resources/network-partition-key.py': {
       return route(req, res, fullUrl)
     }
+    case '/resources/top.txt': {
+      return createReadStream(join(tests, 'fetch/api/', fullUrl.pathname))
+        .on('end', () => res.end())
+        .pipe(res)
+    }
     default: {
       res.statusCode = 200
       res.end('body')

test/wpt/status/fetch.status.json

@@ -62,5 +62,10 @@
 			"response.headers.get('foo-test') expects 1, 2, 3",
 			"response.headers.get('heya') expects , \\x0B\f, 1, , , 2"
 		]
+	},
+	"integrity.sub.any.js": {
+		"fail": [
+			"Empty string integrity for opaque response"
+		]
 	}
 }

test/wpt/tests/fetch/api/basic/integrity.sub.any.js

@@ -0,0 +1,77 @@
+// META: global=window,dedicatedworker,sharedworker
+// META: script=../resources/utils.js
+
+function integrity(desc, url, integrity, initRequestMode, shouldPass) {
+  var fetchRequestInit = {'integrity': integrity}
+  if (!!initRequestMode && initRequestMode !== "") {
+    fetchRequestInit.mode = initRequestMode;
+  }
+
+  if (shouldPass) {
+    promise_test(function(test) {
+      return fetch(url, fetchRequestInit).then(function(resp) {
+        if (initRequestMode !== "no-cors") {
+          assert_equals(resp.status, 200, "Response's status is 200");
+        } else {
+          assert_equals(resp.status, 0, "Opaque response's status is 0");
+          assert_equals(resp.type, "opaque");
+        }
+      });
+    }, desc);
+  } else {
+    promise_test(function(test) {
+      return promise_rejects_js(test, TypeError, fetch(url, fetchRequestInit));
+    }, desc);
+  }
+}
+
+const topSha256 = "sha256-KHIDZcXnR2oBHk9DrAA+5fFiR6JjudYjqoXtMR1zvzk=";
+const topSha384 = "sha384-MgZYnnAzPM/MjhqfOIMfQK5qcFvGZsGLzx4Phd7/A8fHTqqLqXqKo8cNzY3xEPTL";
+const topSha512 = "sha512-D6yns0qxG0E7+TwkevZ4Jt5t7Iy3ugmAajG/dlf6Pado1JqTyneKXICDiqFIkLMRExgtvg8PlxbKTkYfRejSOg==";
+const invalidSha256 = "sha256-dKUcPOn/AlUjWIwcHeHNqYXPlvyGiq+2dWOdFcE+24I=";
+const invalidSha512 = "sha512-oUceBRNxPxnY60g/VtPCj2syT4wo4EZh2CgYdWy9veW8+OsReTXoh7dizMGZafvx9+QhMS39L/gIkxnPIn41Zg==";
+
+const path = dirname(location.pathname) + RESOURCES_DIR + "top.txt";
+const url = path;
+const corsUrl =
+  `http://{{host}}:{{ports[http][1]}}${path}?pipe=header(Access-Control-Allow-Origin,*)`;
+const corsUrl2 = `https://{{host}}:{{ports[https][0]}}${path}`
+
+integrity("Empty string integrity", url, "", /* initRequestMode */ undefined,
+          /* shouldPass */ true);
+integrity("SHA-256 integrity", url, topSha256, /* initRequestMode */ undefined,
+          /* shouldPass */ true);
+integrity("SHA-384 integrity", url, topSha384, /* initRequestMode */ undefined,
+          /* shouldPass */ true);
+integrity("SHA-512 integrity", url, topSha512, /* initRequestMode */ undefined,
+          /* shouldPass */ true);
+integrity("Invalid integrity", url, invalidSha256,
+          /* initRequestMode */ undefined, /* shouldPass */  false);
+integrity("Multiple integrities: valid stronger than invalid", url,
+          invalidSha256 + " " + topSha384, /* initRequestMode */ undefined,
+          /* shouldPass */ true);
+integrity("Multiple integrities: invalid stronger than valid",
+          url, invalidSha512 + " " + topSha384, /* initRequestMode */ undefined,
+          /* shouldPass */ false);
+integrity("Multiple integrities: invalid as strong as valid", url,
+          invalidSha512 + " " + topSha512, /* initRequestMode */ undefined,
+          /* shouldPass */ true);
+integrity("Multiple integrities: both are valid", url,
+          topSha384 + " " + topSha512, /* initRequestMode */ undefined,
+          /* shouldPass */ true);
+integrity("Multiple integrities: both are invalid", url,
+          invalidSha256 + " " + invalidSha512, /* initRequestMode */ undefined,
+          /* shouldPass */ false);
+integrity("CORS empty integrity", corsUrl, "", /* initRequestMode */ undefined,
+          /* shouldPass */ true);
+integrity("CORS SHA-512 integrity", corsUrl, topSha512,
+          /* initRequestMode */ undefined, /* shouldPass */ true);
+integrity("CORS invalid integrity", corsUrl, invalidSha512,
+          /* initRequestMode */ undefined, /* shouldPass */ false);
+
+integrity("Empty string integrity for opaque response", corsUrl2, "",
+          /* initRequestMode */ "no-cors", /* shouldPass */ true);
+integrity("SHA-* integrity for opaque response", corsUrl2, topSha512,
+          /* initRequestMode */ "no-cors", /* shouldPass */ false);
+
+done();