🐛 [amp-script] skip sha384 check for cross-origin scripts in sandboxe…

…d mode (#36618) * skips sha384 check for remote scripts in sandboxed mode * update unit tests for amp-script * lint fix
ampproject · Nov 2, 2021 · bdc9729 · bdc9729
1 parent 5ebed63
commit bdc9729
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 2 deletions.
diff --git a/extensions/amp-script/0.1/amp-script.js b/extensions/amp-script/0.1/amp-script.js
@@ -437,8 +437,8 @@ export class AmpScript extends AMP.BaseElement {
           return response.text();
         } else {
           // For cross-origin, verify hash of script itself (skip in
-          // development mode).
-          if (this.development_) {
+          // development and sandboxed mode).
+          if (this.development_ || this.sandboxed_) {
             return response.text();
           } else {
             return response.text().then((text) => {

diff --git a/extensions/amp-script/0.1/test/unit/test-amp-script.js b/extensions/amp-script/0.1/test/unit/test-amp-script.js
@@ -130,6 +130,22 @@ describes.fakeWin('AmpScript', {amp: {runtimeOn: false}}, (env) => {
     expect(service.checkSha384).to.be.called;
   });
 
+  it('should skip the check for sha384(author_js) for cross-origin src in sandboxed mode', async () => {
+    env.sandbox.stub(env.ampdoc, 'getUrl').returns('https://foo.example/');
+    element.setAttribute('src', 'https://bar.example/bar.js');
+    element.setAttribute('sandboxed', '');
+
+    stubFetch(
+      'https://bar.example/bar.js',
+      {'Content-Type': 'application/javascript; charset=UTF-8'},
+      'alert(1)'
+    );
+
+    await script.buildCallback();
+    await script.layoutCallback();
+    expect(service.checkSha384).not.to.be.called;
+  });
+
   it('callFunction waits for initialization to complete before returning', async () => {
     element.setAttribute('script', 'local-script');
     script.workerDom_ = {callFunction: env.sandbox.spy()};