diff --git a/httpobs/scanner/analyzer/content.py b/httpobs/scanner/analyzer/content.py index a8db7be..eba36d9 100644 --- a/httpobs/scanner/analyzer/content.py +++ b/httpobs/scanner/analyzer/content.py @@ -170,6 +170,10 @@ def subresource_integrity(reqs: dict, expectation='sri-implemented-and-external- # Relative protocol (src="//host/path") relativeorigin = False relativeprotocol = True + elif src.scheme == 'data': + # Data URI is essentially the same as inline script, treat is as local path for simplicity + relativeorigin = True + relativeprotocol = True else: relativeorigin = False relativeprotocol = False diff --git a/httpobs/tests/unittests/files/test_content_sri_data_uri.html b/httpobs/tests/unittests/files/test_content_sri_data_uri.html new file mode 100644 index 0000000..7214554 --- /dev/null +++ b/httpobs/tests/unittests/files/test_content_sri_data_uri.html @@ -0,0 +1,6 @@ + + + + + + diff --git a/httpobs/tests/unittests/test_content.py b/httpobs/tests/unittests/test_content.py index b0ef5ef..9fe4b0b 100644 --- a/httpobs/tests/unittests/test_content.py +++ b/httpobs/tests/unittests/test_content.py @@ -195,6 +195,15 @@ def test_same_origin(self): self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result']) self.assertTrue(result['pass']) + def test_data_uri(self): + # load from a remote site + self.reqs = empty_requests('test_content_sri_data_uri.html') + + result = subresource_integrity(self.reqs) + + self.assertEquals('sri-not-implemented-but-all-scripts-loaded-from-secure-origin', result['result']) + self.assertTrue(result['pass']) + def test_implemented_external_scripts_https(self): # load from a remote site self.reqs = empty_requests('test_content_sri_impl_external_https1.html')