| <!DOCTYPE html> |
| <meta http-equiv="Content-Security-Policy" |
| content="script-src 'unsafe-inline' 'nonce-abcd' 'ed25519-qGFmwTxlocg707D1cX4w60iTwtfwbMLf8ITDyfko7s0='"> |
| |
| <title>Subresource Integrity with Ed25519 plus Content Security Policy</title> |
| <script src="/resources/testharness.js" nonce="abcd"></script> |
| <script src="/resources/testharnessreport.js" nonce="abcd"></script> |
| <script src="/resources/sriharness.js" nonce="abcd"></script> |
| |
| <div id="log"></div> |
| <div id="container"></div> |
| <script nonce="abcd"> |
| // This needs to be the same key as in this doc's content security policy. |
| var public_key = "qGFmwTxlocg707D1cX4w60iTwtfwbMLf8ITDyfko7s0="; |
| new SRIScriptTest( |
| true, |
| "Ed25519-with-CSP, passes, valid key, valid signature.", |
| "ed25519-signature.js", |
| "ed25519-" + public_key |
| ).execute(); |
| |
| new SRIScriptTest( |
| false, |
| "Ed25519-with-CSP, fails, valid key, invalid signature.", |
| "ed25519-broken-signature.js", |
| "ed25519-" + public_key |
| ).execute(); |
| |
| // The first of these uses the nonce rather than the signature to pass CSP. |
| // That doesn't test anything useful about the Ed25519 feature, but is here |
| // to test the precondition for the next test. So if this test passes and |
| // the second one fails, then we can be sure that the 2nd test failed only |
| // because of the CSP key mismatch, as that's the only difference between |
| // the tests. |
| var key_not_in_csp = "5MVHFfs/9Ri+YSwH4FwneSFp88t1ljryPoLxdiyTKks="; |
| new SRIScriptTest( |
| true, |
| "Ed25519-with-CSP, passes, alternative key.", |
| "ed25519-signature2.js", |
| "ed25519-" + key_not_in_csp, |
| /* cross origin */ undefined, |
| /* nonce */ "abcd").execute(); |
| new SRIScriptTest( |
| false, |
| "Ed25519-with-CSP, fails, valid key, valid signature, key not in CSP.", |
| "ed25519-signature2.js", |
| "ed25519-" + key_not_in_csp, |
| ).execute(); |
| </script> |
| |
| |
