Add a few cases to preload SRI (#33326)

* Add two cases to preload SRI * Add test for stronger/weaker digest * Fix expected results for video loading from multiple origins See whatwg/html#7655 When loading video from multiple opaque origins (by a middleman service-worker), video loading should fail rather than be alllowed and taint the canvas. That's because some of the video responses may contain metadata such as duration that would leak to the subsequent requests. See whatwg/html#2814 (comment) for further details. This change makes the test case pass in all browsers. * Add another case
web-platform-tests · Mar 29, 2022 · 6a214e8 · 6a214e8
1 parent 3cf8b13
commit 6a214e8
Show file tree

Hide file tree

Showing 2 changed files with 48 additions and 4 deletions.
diff --git a/preload/subresource-integrity.html b/preload/subresource-integrity.html
@@ -309,6 +309,51 @@
         {integrity: "sha256-deaddeadbeefYHFvsYdWumweeFAw0hJDTFt9seErghA="}
       )
 
+      SRIPreloadTest(
+        true,
+        true,
+        `Same-origin ${destination} with matching digest does not reuse preload without digest.`,
+        2,
+        destination,
+        same_origin_prefix + destination + ext + `?${token()}`,
+        {},
+        {integrity: sha256}
+      )
+
+      // This is an acceptable failure
+      SRIPreloadTest(
+        true,
+        true,
+        `[Tentative] Same-origin ${destination} with matching digest does not reuse preload with matching but stronger digest.`,
+        2,
+        destination,
+        same_origin_prefix + destination + ext + `?${token()}`,
+        {integrity: sha384},
+        {integrity: sha256},
+      )
+
+      SRIPreloadTest(
+        true,
+        true,
+        `Same-origin ${destination} with matching digest does not reuse preload with matching but weaker digest.`,
+        2,
+        destination,
+        same_origin_prefix + destination + ext + `?${token()}`,
+        {integrity: sha256},
+        {integrity: sha384},
+      )
+
+      SRIPreloadTest(
+        true,
+        false,
+        `Same-origin ${destination} with non-matching digest reuses preload with no digest but fails.`,
+        2,
+        destination,
+        same_origin_prefix + destination + ext + `?${token()}`,
+        {},
+        {integrity: "sha256-sha256-deadbeefdeadbeefdeadbeefdeadbeefdeadbeefdead"},
+      )
+
     } // if.
 
   } // for-of.

diff --git a/service-workers/service-worker/fetch-canvas-tainting-video-with-range-request.https.html b/service-workers/service-worker/fetch-canvas-tainting-video-with-range-request.https.html
@@ -63,12 +63,11 @@
 
 // (3) Range responses come from multiple origins. The first response comes from
 //     cross-origin (and without CORS sharing, so is opaque). Subsequent
-//     responses come from same-origin. The canvas should be tainted (but in
-//     Chrome this is a LOAD_ERROR since it disallows range responses from
-//     multiple origins, period).
+//     responses come from same-origin. This should result in a load error, as regardless of canvas
+//     loading range requests from multiple opaque origins can reveal information across those origins.
 range_request_test(
   'resources/range-request-to-different-origins-worker.js',
-  'TAINTED',
+  'LOAD_ERROR',
   'range responses from multiple origins (cross-origin first)');
 
 // (4) Range responses come from multiple origins. The first response comes from