CSP 1.0 browser compliance testing


For some time now I have been maintaining a CSP readiness page at 

I recently rewrote the whole test page into a new version with loads of 
more tests at:

Contributions in terms of new tests and QA of the existing ones are highly
appreciated (other contributions as well of course). See below if you are 

Best regards
Erlend Oftedal


The code is at github: http://github.com/eoftedal/csptesting

A quick note on how the code works:
  - test cases are in test_case.rb at the bottom
  - each test loads a template in a hidden iframe
  - the iframe includes CSP as a header
  - the iframe does a requests that should succeed or not depending on the directives in the CSP header
  - If the intention of the test is to test if a blocked request for some reason goes through, it will point to /test/fail/[test id]
  - If the intention of the test is to test if an allowed request goes through, it will point to /test/pass/[test id]
  - The session holds a list of all tests with the opposite result, and this list is updated depending on the incoming request.

The test to check that script-src 'none' blocks script-tags, opens 
up an iframe with <script src="/test/fail/15"></script>. In the session 
test 15 is set to true (passed). If for some reason a request is made despite the
CSP header, the request will cause test 15 in the session to be set to false (failed).
In the opposite test where script-src 'self' is allowed, the test is 
marked as false in the session. When the request is made, the test is 
flipped to true in the session (the url is now /test/pass/14).

You can see individual tests like this: 

Ideally you should be able to add new tests, by adding a line or two to TestCase.rb, and adding a new template.

Received on Friday, 7 September 2012 21:43:44 UTC