From 6e03ebc94d37563b474c9fc99fb3fa191a1c06c4 Mon Sep 17 00:00:00 2001
From: Yoav Weiss <yoavweiss@chromium.org>
Date: Thu, 13 Feb 2025 07:21:40 -0800
Subject: [PATCH] require-sri-for: 'script'

`require-sri-for` would enable documents to enforce SRI on all resources
they load (of a certain type). This CL revives a previous attempt [1]
at this that ended up being removed. It only adds the 'script' part of
it, as this has a clear use case [2].

Intent-to-Prototype: https://groups.google.com/a/chromium.org/g/blink-dev/c/CdLp5BM2FCQ/m/t9ae0Do_AAAJ

Spec PR: https://github.com/w3c/webappsec-subresource-integrity/pull/129

[1] https://chromium-review.googlesource.com/c/chromium/src/+/2199260
[2] https://docs.google.com/document/d/1RcUpbpWPxXTyW0Qwczs9GCTLPD3-LcbbhL4ooBUevTM/edit?tab=t.0

Change-Id: I66acc12b073174cb33cf594b714e803e24656d27
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5877633
Reviewed-by: Antonio Sartori <antoniosartori@chromium.org>
Commit-Queue: Yoav Weiss (@Shopify) <yoavweiss@chromium.org>
Reviewed-by: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1419883}
---
 common/dispatcher/remote-executor.html        |   5 +-
 content-security-policy/resources/ran.js      |   1 +
 .../script-allowed-meta.https.html            |  14 ++
 .../script-blocked-meta.https.html            |  13 ++
 .../require-sri-for/script.https.html         | 148 ++++++++++++++++++
 5 files changed, 180 insertions(+), 1 deletion(-)
 create mode 100644 content-security-policy/resources/ran.js
 create mode 100644 content-security-policy/tentative/require-sri-for/script-allowed-meta.https.html
 create mode 100644 content-security-policy/tentative/require-sri-for/script-blocked-meta.https.html
 create mode 100644 content-security-policy/tentative/require-sri-for/script.https.html

diff --git a/common/dispatcher/remote-executor.html b/common/dispatcher/remote-executor.html
index 8b0030390d0d19..f87f566be960fd 100644
--- a/common/dispatcher/remote-executor.html
+++ b/common/dispatcher/remote-executor.html
@@ -3,7 +3,10 @@
 <meta charset="utf-8">
 <body>
 </body>
-<script src="./dispatcher.js"></script>
+<script src="./dispatcher.js"
+        crossorigin
+        integrity="sha256-daCATx8B9i1s6ixqZvCGcGQOv3a+VMoor6aS9UNUoiY=">
+</script>
 <script>
   const params = new URLSearchParams(window.location.search);
   const uuid = params.get('uuid');
diff --git a/content-security-policy/resources/ran.js b/content-security-policy/resources/ran.js
new file mode 100644
index 00000000000000..8beb22733df913
--- /dev/null
+++ b/content-security-policy/resources/ran.js
@@ -0,0 +1 @@
+window.ran = true;
diff --git a/content-security-policy/tentative/require-sri-for/script-allowed-meta.https.html b/content-security-policy/tentative/require-sri-for/script-allowed-meta.https.html
new file mode 100644
index 00000000000000..087498f0c573da
--- /dev/null
+++ b/content-security-policy/tentative/require-sri-for/script-allowed-meta.https.html
@@ -0,0 +1,14 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="require-sri-for 'script'">
+<script>
+  window.executed_test = async_test("Script that requires integrity executes and does not generate a violation report.");
+  document.addEventListener('securitypolicyviolation', executed_test.unreached_func("No report should be generated."));
+</script>
+<script crossorigin integrity="sha384-tqyFpeo21WFM8HDeUtLqH20GUq/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak"
+        src="/content-security-policy/resources/ran.js"></script>
+<script>
+  assert_true(window.ran);
+  window.executed_test.done();
+</script>
diff --git a/content-security-policy/tentative/require-sri-for/script-blocked-meta.https.html b/content-security-policy/tentative/require-sri-for/script-blocked-meta.https.html
new file mode 100644
index 00000000000000..fe69c61f5b6c68
--- /dev/null
+++ b/content-security-policy/tentative/require-sri-for/script-blocked-meta.https.html
@@ -0,0 +1,13 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<meta http-equiv="Content-Security-Policy" content="require-sri-for 'script'">
+<script src="/content-security-policy/resources/ran.js"></script>
+<script>
+promise_test(async t => {
+  const watcher = new EventWatcher(t, document, ['securitypolicyviolation']);
+  const e = await watcher.wait_for('securitypolicyviolation');
+  assert_equals(e.blockedURI, `${location.origin}/content-security-policy/resources/ran.js`);
+  assert_true(typeof(window.ran) == "undefined", "Script did not ran");
+}, "Test that meta require-sri-for blocks scripts with no SRI");
+</script>
diff --git a/content-security-policy/tentative/require-sri-for/script.https.html b/content-security-policy/tentative/require-sri-for/script.https.html
new file mode 100644
index 00000000000000..4c75e14de9c962
--- /dev/null
+++ b/content-security-policy/tentative/require-sri-for/script.https.html
@@ -0,0 +1,148 @@
+<!doctype html>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+<script src="/common/dispatcher/dispatcher.js"></script>
+<script src="/common/utils.js"></script>
+<script src="/common/get-host-info.sub.js"></script>
+
+<body>
+<script>
+  const {ORIGIN} = get_host_info();
+
+  const run_test = async (test_case) => {
+    promise_test(async () => {
+      const REMOTE_EXECUTOR =
+        `/common/dispatcher/remote-executor.html?pipe=`;
+      const iframe_uuid = token();
+
+      const csp_header = test_case.report_only ?
+                         "header(Content-Security-Policy-Report-Only,require-sri-for 'script')" :
+                         "header(Content-Security-Policy,require-sri-for 'script')";
+      const iframe_url = REMOTE_EXECUTOR + encodeURIComponent(csp_header);
+
+      const iframe = document.createElement('iframe');
+      iframe.src = iframe_url + `&uuid=${iframe_uuid}`;
+      document.body.appendChild(iframe);
+
+      // Execute code directly from the iframe.
+      const ctx = new RemoteContext(iframe_uuid);
+      const result = await ctx.execute_script(async (test_case) => {
+        let blockedURI;
+        if (test_case.should_block) {
+          window.addEventListener("securitypolicyviolation", e => {
+            blockedURI = e.blockedURI;
+          });
+        }
+
+        // Load the script
+        await new Promise(resolve => {
+          const script = document.createElement('script');
+          if (test_case.cross_origin) {
+            script.crossOrigin="anonymous";
+          }
+          if (test_case.integrity) {
+            script.integrity = test_case.integrity;
+          }
+          script.onload = resolve;
+          script.onerror = resolve;
+          script.src = test_case.url;
+          document.body.appendChild(script);
+        });
+
+        if (test_case.should_block && !window.ran) {
+          return blockedURI;
+        } else {
+          return window.ran;
+        }
+      }, [test_case]);
+      assert_equals(result, test_case.expected);
+    }, test_case.description);
+  };
+
+  const blob = new Blob([`window.ran=true;`],
+                        { type: 'application/javascript' });
+
+  const blob_url = URL.createObjectURL(blob);
+
+  // Generated using https://sha2.it/ed25519.html (In Chrome Canary, with Experimental Web Platform Features enabled)
+  const signature = encodeURIComponent(
+    'header(Unencoded-Digest, sha-384=:tqyFpeo21WFM8HDeUtLqH20GUq\/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak:)' +
+    '|header(Signature-Input, signature=\\("unencoded-digest";sf\\); keyid="JrQLj5P\/89iXES9+vFgrIy29clF9CC\/oPPsw3c5D0bs="; tag="sri")' +
+    '|header(Signature, signature=:qM19uLskHm2TQG5LJcH/hY0n0BWWzYOJztVWYlwk0cZb3u0JdgUMre1J4Jn8Tma0x2u5/kPBfbXRMbB+X+vTBw==:)');
+
+  const test_cases = [
+    {
+      description: "Ensure that a script without integrity did not run",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: true,
+      integrity: "",
+      should_block: true,
+      expected: ORIGIN + "/content-security-policy/resources/ran.js",
+      report_only: false,
+    },
+    {
+      description: "Ensure that a script with unknown integrity algorithm did not run",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: true,
+      integrity: "foobar-AAAAAAAAAAAAAAAAAAAa",
+      should_block: true,
+      expected: ORIGIN + "/content-security-policy/resources/ran.js",
+      report_only: false,
+    },
+    {
+      description: "Ensure that a script without integrity algorithm runs and gets reported in report-only mode",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: true,
+      integrity: "",
+      should_block: true,
+      expected: true,
+      report_only: true,
+    },
+    {
+      description: "Ensure that a no-cors script gets blocked",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: false,
+      integrity: "sha384-tqyFpeo21WFM8HDeUtLqH20GUq/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak",
+      should_block: true,
+      expected: ORIGIN + "/content-security-policy/resources/ran.js",
+      report_only: false,
+    },
+    {
+      description: "Ensure that a script with integrity runs",
+      url: "/content-security-policy/resources/ran.js",
+      cross_origin: true,
+      integrity: "sha384-tqyFpeo21WFM8HDeUtLqH20GUq/q3D1R6mqTzW3RtyTZ3dAYZJhC1wUcnkgOE2ak",
+      should_block: false,
+      expected: true,
+      report_only: false,
+    },
+    {
+      description: "Ensure that a script with signature integrity runs",
+      url: "/content-security-policy/resources/ran.js?pipe=" + signature,
+      cross_origin: true,
+      integrity: "ed25519-JrQLj5P/89iXES9+vFgrIy29clF9CC/oPPsw3c5D0bs=",
+      should_block: false,
+      expected: true,
+      report_only: false,
+    },
+    {
+      description: "Ensure that a data URI script with no integrity runs",
+      url: "data:application/javascript,window.ran=true",
+      cross_origin: true,
+      integrity: "",
+      should_block: false,
+      expected: true,
+      report_only: false,
+    },
+    {
+      description: "Ensure that a blob URL script with no integrity runs",
+      url: blob_url,
+      cross_origin: true,
+      integrity: "",
+      should_block: false,
+      expected: true,
+      report_only: false,
+    }
+  ];
+  test_cases.map(run_test);
+</script>