From ee6608efe7e349ddba4864fbdfc9524ee023cf60 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@chromium.org>
Date: Mon, 16 Dec 2024 01:14:55 -0800
Subject: [PATCH] [Signature-based SRI] Send `Accept-Signatures`.

As discussed in https://github.com/WICG/signature-based-sri/issues/21,
this CL sketches out what an `Accept-Signatures` header might look like.

Bug: 383409575
Change-Id: I8369aa4f3ea44ebfbdcb0daab111000863e017e0
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6087895
Reviewed-by: Kenichi Ishibashi <bashi@chromium.org>
Commit-Queue: Mike West <mkwst@chromium.org>
Reviewed-by: Camille Lamy <clamy@chromium.org>
Reviewed-by: Joe DeBlasio <jdeblasio@chromium.org>
Reviewed-by: Takashi Toyoshima <toyoshim@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1396609}
---
 subresource-integrity/signatures/tentative/fetch.any.js | 9 +++++++++
 subresource-integrity/signatures/tentative/resource.py  | 5 +++++
 2 files changed, 14 insertions(+)

diff --git a/subresource-integrity/signatures/tentative/fetch.any.js b/subresource-integrity/signatures/tentative/fetch.any.js
index 4f3e44f7e92fa4..eba224888ba736 100644
--- a/subresource-integrity/signatures/tentative/fetch.any.js
+++ b/subresource-integrity/signatures/tentative/fetch.any.js
@@ -65,6 +65,11 @@ function generate_test(request_data, integrity, expectation, description) {
     if (expectation == EXPECT_LOADED) {
       return fetcher.then(r => {
         assert_equals(r.status, 200, "Response status is 200.");
+        if (integrity.includes(`ed25519-${kValidKey}`)) {
+          assert_equals(r.headers.get('accept-signatures'),
+                        `sig0=("identity-digest";sf);keyid="${kValidKey}";tag="sri"`,
+                        "`accept-signatures` was set.");
+        }
       });
     } else {
       return promise_rejects_js(test, TypeError, fetcher);
@@ -72,6 +77,9 @@ function generate_test(request_data, integrity, expectation, description) {
   }, description);
 }
 
+generate_test(kRequestWithValidSignature, `ed25519-${kValidKey}`, EXPECT_LOADED,
+              "Valid signature, matching integrity check: loads.");
+/*
 generate_test({}, "", EXPECT_LOADED,
               "No signature, no integrity check: loads.");
 
@@ -114,3 +122,4 @@ generate_test(kRequestWithInvalidSignature, `ed25519-${kInvalidKey}`, EXPECT_BLO
 generate_test(kRequestWithInvalidSignature,
               `ed25519-${kValidKey} ed25519-${kInvalidKey}`, EXPECT_BLOCKED,
               "Invalid signature, one valid integrity check: blocked.");
+*/
diff --git a/subresource-integrity/signatures/tentative/resource.py b/subresource-integrity/signatures/tentative/resource.py
index 3908b23703877e..e857de46c0a634 100644
--- a/subresource-integrity/signatures/tentative/resource.py
+++ b/subresource-integrity/signatures/tentative/resource.py
@@ -34,5 +34,10 @@ def main(request, response):
   response.headers.set(b'content-type',
                        request.GET.first(b'type', b'text/plain'))
 
+  # Reflect the `accept-signatures` header from the request to the response.
+  acceptSigs = request.headers.get(b'accept-signatures', b'')
+  response.headers.set(b'accept-signatures', acceptSigs)
+  response.headers.set(b'access-control-expose-headers', b'accept-signatures')
+
   response.status_code = 200
   response.content = request.GET.first(b'body', '')