Implement basics of link preloading (#37036)

These changes allow a minimal set of checks for font-src CSP checks to pass. Part of #4577 Part of #35035 --------- Signed-off-by: Tim van der Lippe <tvanderlippe@gmail.com>
2025-10-01 00:59:15 +01:00 · 2025-05-29 13:26:27 +02:00 · 2025-05-29 13:26:27 +02:00 · 36e4886da1
commit 36e4886da1
parent 9dc1391bef
174 changed files with 2814 additions and 1097 deletions
--- a/tests/wpt/meta/preload/subresource-integrity.html.ini
+++ b/tests/wpt/meta/preload/subresource-integrity.html.ini
@ -0,0 +1,195 @@
+[subresource-integrity.html]
+  [Same-origin script with correct sha256 hash.]
+    expected: FAIL
+
+  [Same-origin script with correct sha384 hash.]
+    expected: FAIL
+
+  [Same-origin script with correct sha512 hash.]
+    expected: FAIL
+
+  [Same-origin script with empty integrity.]
+    expected: FAIL
+
+  [Same-origin script with incorrect hash.]
+    expected: FAIL
+
+  [Same-origin script with multiple sha256 hashes, including correct.]
+    expected: FAIL
+
+  [Same-origin script with multiple sha256 hashes, including unknown algorithm.]
+    expected: FAIL
+
+  [Same-origin script with sha256 mismatch, sha512 match]
+    expected: FAIL
+
+  [Same-origin script with sha256 match, sha512 mismatch]
+    expected: FAIL
+
+  [<crossorigin='anonymous'> script with correct hash, ACAO: *]
+    expected: FAIL
+
+  [<crossorigin='anonymous'> script with incorrect hash, ACAO: *]
+    expected: FAIL
+
+  [<crossorigin='use-credentials'> script with correct hash, CORS-eligible]
+    expected: FAIL
+
+  [<crossorigin='use-credentials'> script with incorrect hash CORS-eligible]
+    expected: FAIL
+
+  [<crossorigin='anonymous'> script with CORS-ineligible resource]
+    expected: FAIL
+
+  [Cross-origin script, not CORS request, with correct hash]
+    expected: FAIL
+
+  [Cross-origin script, not CORS request, with hash mismatch]
+    expected: FAIL
+
+  [Cross-origin script, empty integrity]
+    expected: FAIL
+
+  [Same-origin script with correct hash, options.]
+    expected: FAIL
+
+  [Same-origin script with unknown algorithm only.]
+    expected: FAIL
+
+  [Same-origin script with matching digest re-uses preload with matching digest.]
+    expected: FAIL
+
+  [Same-origin script with matching digest re-uses preload with matching digest and options.]
+    expected: FAIL
+
+  [Same-origin script with non-matching digest does not re-use preload with matching digest.]
+    expected: FAIL
+
+  [Same-origin script with matching digest does not re-use preload with non-matching digest.]
+    expected: FAIL
+
+  [Same-origin script with non-matching digest does not re-use preload with non-matching digest.]
+    expected: FAIL
+
+  [Same-origin script with matching digest does not reuse preload without digest.]
+    expected: FAIL
+
+  [Same-origin script with matching digest does not reuse preload with matching but stronger digest.]
+    expected: FAIL
+
+  [Same-origin script with wrong digest does not reuse preload with correct and stronger digest.]
+    expected: FAIL
+
+  [Same-origin script with matching digest does not reuse preload with matching but weaker digest.]
+    expected: FAIL
+
+  [Same-origin script with non-matching digest reuses preload with no digest but fails.]
+    expected: FAIL
+
+  [Same-origin style with correct sha256 hash.]
+    expected: FAIL
+
+  [Same-origin style with correct sha384 hash.]
+    expected: FAIL
+
+  [Same-origin style with correct sha512 hash.]
+    expected: FAIL
+
+  [Same-origin style with empty integrity.]
+    expected: FAIL
+
+  [Same-origin style with incorrect hash.]
+    expected: FAIL
+
+  [Same-origin style with multiple sha256 hashes, including correct.]
+    expected: FAIL
+
+  [Same-origin style with multiple sha256 hashes, including unknown algorithm.]
+    expected: FAIL
+
+  [Same-origin style with sha256 mismatch, sha512 match]
+    expected: FAIL
+
+  [Same-origin style with sha256 match, sha512 mismatch]
+    expected: FAIL
+
+  [<crossorigin='anonymous'> style with correct hash, ACAO: *]
+    expected: FAIL
+
+  [<crossorigin='anonymous'> style with incorrect hash, ACAO: *]
+    expected: FAIL
+
+  [<crossorigin='use-credentials'> style with correct hash, CORS-eligible]
+    expected: FAIL
+
+  [<crossorigin='use-credentials'> style with incorrect hash CORS-eligible]
+    expected: FAIL
+
+  [<crossorigin='anonymous'> style with CORS-ineligible resource]
+    expected: FAIL
+
+  [Cross-origin style, not CORS request, with correct hash]
+    expected: FAIL
+
+  [Cross-origin style, not CORS request, with hash mismatch]
+    expected: FAIL
+
+  [Cross-origin style, empty integrity]
+    expected: FAIL
+
+  [Same-origin style with correct hash, options.]
+    expected: FAIL
+
+  [Same-origin style with unknown algorithm only.]
+    expected: FAIL
+
+  [Same-origin style with matching digest re-uses preload with matching digest.]
+    expected: FAIL
+
+  [Same-origin style with matching digest re-uses preload with matching digest and options.]
+    expected: FAIL
+
+  [Same-origin style with non-matching digest does not re-use preload with matching digest.]
+    expected: FAIL
+
+  [Same-origin style with matching digest does not re-use preload with non-matching digest.]
+    expected: FAIL
+
+  [Same-origin style with non-matching digest does not re-use preload with non-matching digest.]
+    expected: FAIL
+
+  [Same-origin style with matching digest does not reuse preload without digest.]
+    expected: FAIL
+
+  [Same-origin style with matching digest does not reuse preload with matching but stronger digest.]
+    expected: FAIL
+
+  [Same-origin style with wrong digest does not reuse preload with correct and stronger digest.]
+    expected: FAIL
+
+  [Same-origin style with matching digest does not reuse preload with matching but weaker digest.]
+    expected: FAIL
+
+  [Same-origin style with non-matching digest reuses preload with no digest but fails.]
+    expected: FAIL
+
+  [Same-origin image with incorrect hash.]
+    expected: FAIL
+
+  [Same-origin image with sha256 match, sha512 mismatch]
+    expected: FAIL
+
+  [<crossorigin='anonymous'> image with incorrect hash, ACAO: *]
+    expected: FAIL
+
+  [<crossorigin='use-credentials'> image with incorrect hash CORS-eligible]
+    expected: FAIL
+
+  [<crossorigin='anonymous'> image with CORS-ineligible resource]
+    expected: FAIL
+
+  [Cross-origin image, not CORS request, with correct hash]
+    expected: FAIL
+
+  [Cross-origin image, not CORS request, with hash mismatch]
+    expected: FAIL