[wpt-sync] Sync PR 32287 - Do not skip SRI even if integrity attribute is cleared later
Categories
(Testing :: web-platform-tests, task, P4)
Tracking
(firefox100 fixed)
| Tracking | Status | |
|---|---|---|
| firefox100 | --- | fixed |
People
(Reporter: wpt-sync, Unassigned)
References
()
Details
(Whiteboard: [wptsync downstream])
Sync web-platform-tests PR 32287 into mozilla-central (this bug is closed when the sync is complete).
PR: https://github.com/web-platform-tests/wpt/pull/32287
Details from upstream follow.
Hiroshige Hayashizaki <hiroshige@chromium.org> wrote:
Do not skip SRI even if integrity attribute is cleared later
According to the HTML spec, the integrity attribute of script
elements are used in #prepare-a-script, and thus the changes
to the integrity attribute after #prepare-a-script shouldn't be
reflected.
However, if the integrity attribute is cleared after
#prepare-a-script, SRI check is skipped, because whether
the integrity attribute is empty is checked on script load finish.This CL replaces the integrity attribute check with
ScriptFetchOptions' integrity metadata check.
The latter always reflect the integrity metadata set at
#prepare-a-script, and integrity attribute is no longer checked
after #prepare-a-script.Bug: 686281
Change-Id: Ie31facd58bc3cdc3dd8056694b6da0d043c392c8
Reviewed-on: https://chromium-review.googlesource.com/1180823
WPT-Export-Revision: 1f31064bd5b526ff81fd4ed8611d6357cd0654a2
|
Assignee | |
Comment 1•3 years ago
|
||
|
|
Assignee | |
Comment 2•3 years ago
|
||
|
|
Assignee | |
Comment 3•3 years ago
|
||
CI Results
Ran 12 Firefox configurations based on mozilla-central, and Firefox, Chrome, and Safari on GitHub CI
Total 2 tests and 46 subtests
Status Summary
Firefox
OK : 2
PASS: 90
FAIL: 21
Chrome
OK : 2
PASS: 104
FAIL: 7
Safari
OK : 2
PASS: 84
FAIL: 27
Links
Gecko CI (Treeherder)
GitHub PR Head
GitHub PR Base
Details
New Tests That Don't Pass
/preload/subresource-integrity.html
Same-origin script with incorrect hash.: FAIL (Chrome: PASS, Safari: FAIL)
Same-origin script with sha256 match, sha512 mismatch: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='anonymous'> script with incorrect hash, ACAO: *: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='use-credentials'> script with incorrect hash CORS-eligible: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='anonymous'> script with CORS-ineligible resource: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin script, not CORS request, with correct hash: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin script, not CORS request, with hash mismatch: FAIL (Chrome: PASS, Safari: FAIL)
Same-origin style with incorrect hash.: FAIL (Chrome: PASS, Safari: FAIL)
Same-origin style with sha256 match, sha512 mismatch: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='anonymous'> style with incorrect hash, ACAO: *: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='use-credentials'> style with incorrect hash CORS-eligible: FAIL (Chrome: PASS, Safari: FAIL)
<crossorigin='anonymous'> style with CORS-ineligible resource: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin style, not CORS request, with correct hash: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin style, not CORS request, with hash mismatch: FAIL (Chrome: PASS, Safari: FAIL)
Same-origin image with incorrect hash.: FAIL (Chrome: FAIL, Safari: FAIL)
Same-origin image with sha256 match, sha512 mismatch: FAIL (Chrome: FAIL, Safari: FAIL)
<crossorigin='anonymous'> image with incorrect hash, ACAO: *: FAIL (Chrome: FAIL, Safari: FAIL)
<crossorigin='use-credentials'> image with incorrect hash CORS-eligible: FAIL (Chrome: FAIL, Safari: FAIL)
<crossorigin='anonymous'> image with CORS-ineligible resource: FAIL (Chrome: PASS, Safari: FAIL)
Cross-origin image, not CORS request, with correct hash: FAIL (Chrome: FAIL, Safari: FAIL)
Cross-origin image, not CORS request, with hash mismatch: FAIL (Chrome: FAIL, Safari: FAIL)
|
||
Comment 5•3 years ago
|
||
| bugherder | ||
Description
•