[Signature-based SRI] Send Accept-Signatures.

As discussed in WICG/signature-based-sri#21, this CL sketches out what an `Accept-Signatures` header might look like. Bug: 383409575 Change-Id: I8369aa4f3ea44ebfbdcb0daab111000863e017e0 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6087895 Reviewed-by: Kenichi Ishibashi <bashi@chromium.org> Commit-Queue: Mike West <mkwst@chromium.org> Reviewed-by: Camille Lamy <clamy@chromium.org> Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org> Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org> Cr-Commit-Position: refs/heads/main@{#1396609}
tkntjsdw · Dec 16, 2024 · ee6608e · ee6608e
1 parent 19bda07
commit ee6608e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/subresource-integrity/signatures/tentative/fetch.any.js b/subresource-integrity/signatures/tentative/fetch.any.js
@@ -65,13 +65,21 @@ function generate_test(request_data, integrity, expectation, description) {
     if (expectation == EXPECT_LOADED) {
       return fetcher.then(r => {
         assert_equals(r.status, 200, "Response status is 200.");
+        if (integrity.includes(`ed25519-${kValidKey}`)) {
+          assert_equals(r.headers.get('accept-signatures'),
+                        `sig0=("identity-digest";sf);keyid="${kValidKey}";tag="sri"`,
+                        "`accept-signatures` was set.");
+        }
       });
     } else {
       return promise_rejects_js(test, TypeError, fetcher);
     }
   }, description);
 }
 
+generate_test(kRequestWithValidSignature, `ed25519-${kValidKey}`, EXPECT_LOADED,
+              "Valid signature, matching integrity check: loads.");
+/*
 generate_test({}, "", EXPECT_LOADED,
               "No signature, no integrity check: loads.");
 
@@ -114,3 +122,4 @@ generate_test(kRequestWithInvalidSignature, `ed25519-${kInvalidKey}`, EXPECT_BLO
 generate_test(kRequestWithInvalidSignature,
               `ed25519-${kValidKey} ed25519-${kInvalidKey}`, EXPECT_BLOCKED,
               "Invalid signature, one valid integrity check: blocked.");
+*/
diff --git a/subresource-integrity/signatures/tentative/resource.py b/subresource-integrity/signatures/tentative/resource.py
@@ -34,5 +34,10 @@ def main(request, response):
   response.headers.set(b'content-type',
                        request.GET.first(b'type', b'text/plain'))
 
+  # Reflect the `accept-signatures` header from the request to the response.
+  acceptSigs = request.headers.get(b'accept-signatures', b'')
+  response.headers.set(b'accept-signatures', acceptSigs)
+  response.headers.set(b'access-control-expose-headers', b'accept-signatures')
+
   response.status_code = 200
   response.content = request.GET.first(b'body', '')