diff --git a/testing/web-platform/tests/preload/subresource-integrity.html b/testing/web-platform/tests/preload/subresource-integrity.html index a1c867e2911cb..f4ff950924e30 100644 --- a/testing/web-platform/tests/preload/subresource-integrity.html +++ b/testing/web-platform/tests/preload/subresource-integrity.html @@ -309,6 +309,51 @@ {integrity: "sha256-deaddeadbeefYHFvsYdWumweeFAw0hJDTFt9seErghA="} ) + SRIPreloadTest( + true, + true, + `Same-origin ${destination} with matching digest does not reuse preload without digest.`, + 2, + destination, + same_origin_prefix + destination + ext + `?${token()}`, + {}, + {integrity: sha256} + ) + + // This is an acceptable failure + SRIPreloadTest( + true, + true, + `[Tentative] Same-origin ${destination} with matching digest does not reuse preload with matching but stronger digest.`, + 2, + destination, + same_origin_prefix + destination + ext + `?${token()}`, + {integrity: sha384}, + {integrity: sha256}, + ) + + SRIPreloadTest( + true, + true, + `Same-origin ${destination} with matching digest does not reuse preload with matching but weaker digest.`, + 2, + destination, + same_origin_prefix + destination + ext + `?${token()}`, + {integrity: sha256}, + {integrity: sha384}, + ) + + SRIPreloadTest( + true, + false, + `Same-origin ${destination} with non-matching digest reuses preload with no digest but fails.`, + 2, + destination, + same_origin_prefix + destination + ext + `?${token()}`, + {}, + {integrity: "sha256-sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"}, + ) + } // if. } // for-of. diff --git a/testing/web-platform/tests/service-workers/service-worker/fetch-canvas-tainting-video-with-range-request.https.html b/testing/web-platform/tests/service-workers/service-worker/fetch-canvas-tainting-video-with-range-request.https.html index f1ff7ae59a7de..28c3071804767 100644 --- a/testing/web-platform/tests/service-workers/service-worker/fetch-canvas-tainting-video-with-range-request.https.html +++ b/testing/web-platform/tests/service-workers/service-worker/fetch-canvas-tainting-video-with-range-request.https.html @@ -63,12 +63,11 @@ // (3) Range responses come from multiple origins. The first response comes from // cross-origin (and without CORS sharing, so is opaque). Subsequent -// responses come from same-origin. The canvas should be tainted (but in -// Chrome this is a LOAD_ERROR since it disallows range responses from -// multiple origins, period). +// responses come from same-origin. This should result in a load error, as regardless of canvas +// loading range requests from multiple opaque origins can reveal information across those origins. range_request_test( 'resources/range-request-to-different-origins-worker.js', - 'TAINTED', + 'LOAD_ERROR', 'range responses from multiple origins (cross-origin first)'); // (4) Range responses come from multiple origins. The first response comes from