| <!DOCTYPE html> |
| <html> |
| <head> |
| <title>Subresource integrity check shouldn't be bypassed by |
| changing integrity attribute</title> |
| <script src="../../resources/testharness.js"></script> |
| <script src="../../resources/testharnessreport.js"></script> |
| |
| </head> |
| <body> |
| <script> |
| var t = async_test('Integrity check should not be bypassed ' + |
| 'by changing integrity attribute'); |
| var url = 'style-1-of-3.css?test=bypass-by-attribute-change'; |
| |
| // 1. Create a stylesheet with an unmatching integrity attribute. |
| var link1 = document.createElement('link'); |
| link1.setAttribute('rel', 'stylesheet'); |
| link1.setAttribute('href', url); |
| link1.setAttribute('integrity', |
| 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro='); |
| |
| // This is expected to fail, but anyway proceed to step 2 and |
| // check whether the second stylesheet fails. |
| link1.addEventListener('load', step2); |
| link1.addEventListener('error', step2); |
| |
| document.head.appendChild(link1); |
| |
| // 2. Set the integrity attribute to the correct hash after fetch starts. |
| link1.setAttribute('integrity', |
| 'sha256-RvLeYLQyPa_ZQk95Rj0XQpfsoBHW9Vrqb3zwo5DScrI='); |
| |
| function step2() { |
| // 3. Create a stylesheet with the same URL and the same |
| // unmatching integrity attribute. This should fail. |
| var link2 = document.createElement('link'); |
| link2.setAttribute('rel', 'stylesheet'); |
| link2.setAttribute('href', url); |
| link2.setAttribute('integrity', |
| 'sha256-wrongwrongwrongwrongwrongwrongwrongwrongwro='); |
| link2.addEventListener('load', |
| t.unreached_func('Integrity check is bypassed')); |
| link2.addEventListener('error', t.step_func_done()); |
| document.head.appendChild(link2); |
| } |
| |
| </script> |
| </body> |
| </html> |