Skip to content

Commit

Permalink
skips sha384 check for remote scripts in sandboxed mode
Browse files Browse the repository at this point in the history
  • Loading branch information
Zeeshan Rasool committed Oct 27, 2021
1 parent 8bef949 commit 4799504
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 2 deletions.
4 changes: 2 additions & 2 deletions extensions/amp-script/0.1/amp-script.js
Original file line number Diff line number Diff line change
Expand Up @@ -425,8 +425,8 @@ export class AmpScript extends AMP.BaseElement {
return response.text();
} else {
// For cross-origin, verify hash of script itself (skip in
// development mode).
if (this.development_) {
// development and sandboxed mode).
if (this.development_ || this.sandboxed_) {
return response.text();
} else {
return response.text().then((text) => {
Expand Down
18 changes: 18 additions & 0 deletions extensions/amp-script/0.1/test/unit/test-amp-script.js
Original file line number Diff line number Diff line change
Expand Up @@ -130,6 +130,24 @@ describes.fakeWin('AmpScript', {amp: {runtimeOn: false}}, (env) => {
expect(service.checkSha384).to.be.called;
});

it('should skip the check for sha384(author_js) for cross-origin src in sandboxed mode', async () => {
env.sandbox.stub(env.ampdoc, 'getUrl').returns('https://foo.example/')
element.setAttribute('src', 'https://bar.example/bar.js')
element.setAttribute('sandboxed', '')

script.buildCallback()

stubFetch(
'https://bar.example/bar.js',
{ 'Content-Type': 'application/javascript; charset=UTF-8' },
'alert(1)'
)

service.checkSha384.withArgs('alert(1)').resolves()
await script.layoutCallback()
expect(service.checkSha384).not.to.be.called
});

it('callFunction waits for initialization to complete before returning', async () => {
element.setAttribute('script', 'local-script');
script.workerDom_ = {callFunction: env.sandbox.spy()};
Expand Down

0 comments on commit 4799504

Please sign in to comment.