- From: Erlend Oftedal <erlend@oftedal.no>
- Date: Fri, 7 Sep 2012 19:41:16 +0200 (CEST)
- To: public-webappsec@w3.org
Hi For some time now I have been maintaining a CSP readiness page at http://erlend.oftedal.no/blog/csp/readiness/ I recently rewrote the whole test page into a new version with loads of more tests at: http://csptesting.herokuapp.com Contributions in terms of new tests and QA of the existing ones are highly appreciated (other contributions as well of course). See below if you are interested. Best regards Erlend Oftedal -- Contributions: The code is at github: http://github.com/eoftedal/csptesting A quick note on how the code works: - test cases are in test_case.rb at the bottom - each test loads a template in a hidden iframe - the iframe includes CSP as a header - the iframe does a requests that should succeed or not depending on the directives in the CSP header - If the intention of the test is to test if a blocked request for some reason goes through, it will point to /test/fail/[test id] - If the intention of the test is to test if an allowed request goes through, it will point to /test/pass/[test id] - The session holds a list of all tests with the opposite result, and this list is updated depending on the incoming request. Example: The test to check that script-src 'none' blocks script-tags, opens up an iframe with <script src="/test/fail/15"></script>. In the session test 15 is set to true (passed). If for some reason a request is made despite the CSP header, the request will cause test 15 in the session to be set to false (failed). In the opposite test where script-src 'self' is allowed, the test is marked as false in the session. When the request is made, the test is flipped to true in the session (the url is now /test/pass/14). You can see individual tests like this: http://csptesting.herokuapp.com/test/load/15 http://csptesting.herokuapp.com/test/load/14 Ideally you should be able to add new tests, by adding a line or two to TestCase.rb, and adding a new template.
Received on Friday, 7 September 2012 21:43:44 UTC