Forwarding to dev-security, this is awesome :D i stuck a link to this test suite in our CSP 1.0 compliance bug, https://bugzilla.mozilla.org/show_bug.cgi?id=746978
thanks, ian ----- Forwarded Message ----- From: "Erlend Oftedal" <erl...@oftedal.no> To: public-webapp...@w3.org Sent: Friday, September 7, 2012 10:41:16 AM Subject: CSP 1.0 browser compliance testing Hi For some time now I have been maintaining a CSP readiness page at http://erlend.oftedal.no/blog/csp/readiness/ I recently rewrote the whole test page into a new version with loads of more tests at: http://csptesting.herokuapp.com Contributions in terms of new tests and QA of the existing ones are highly appreciated (other contributions as well of course). See below if you are interested. Best regards Erlend Oftedal -- Contributions: The code is at github: http://github.com/eoftedal/csptesting A quick note on how the code works: - test cases are in test_case.rb at the bottom - each test loads a template in a hidden iframe - the iframe includes CSP as a header - the iframe does a requests that should succeed or not depending on the directives in the CSP header - If the intention of the test is to test if a blocked request for some reason goes through, it will point to /test/fail/[test id] - If the intention of the test is to test if an allowed request goes through, it will point to /test/pass/[test id] - The session holds a list of all tests with the opposite result, and this list is updated depending on the incoming request. Example: The test to check that script-src 'none' blocks script-tags, opens up an iframe with <script src="/test/fail/15"></script>. In the session test 15 is set to true (passed). If for some reason a request is made despite the CSP header, the request will cause test 15 in the session to be set to false (failed). In the opposite test where script-src 'self' is allowed, the test is marked as false in the session. When the request is made, the test is flipped to true in the session (the url is now /test/pass/14). You can see individual tests like this: http://csptesting.herokuapp.com/test/load/15 http://csptesting.herokuapp.com/test/load/14 Ideally you should be able to add new tests, by adding a line or two to TestCase.rb, and adding a new template. _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
