Re: [webappsec] Help build the CSP test suite at Test the Web Forward Portland, August 3 from Odin Hørthe Omdal on 2014-06-04 (public-webappsec@w3.org from June 2014)

From: Odin Hørthe Omdal <odinho@opera.com>
Date: Wed, 04 Jun 2014 21:24:23 +0200
To: public-webappsec@w3.org
Message-Id: <1401909863.10533.125217805.41B72791@webmail.messagingengine.com>

On Wed, Jun 4, 2014, at 20:46, Brad Hill wrote:
> Ian Melvin and I are hosting a Test the Web Forward event on August 3rd
> in Portland, the Sunday following the CascadiaJS conference.

Nice!

> http://testthewebforward.org/events/2014/portland.html

But you say PHP there?

It would be very sad to create new tests using PHP, when we haven't even
ported the ones that exist to the new simpler and more powerful wptserve
(Python based).

Actually we have exactly zero CSP tests in web platform tests atm.  That
really is too bad.  We should at least have a folder with one test that
is well-written and with a good python-script that can return what you
specify from the http-file.  Not unlike how the CORS tests are done.

Actually, I think that many CSP tests can be done without any code at
all, most are just setting headers and can do the test itself in
Javascript. The headers can be set using a simple
`<yourfilename>.headers` or `__dir__.headers` file [0].

  0.
  <http://wptserve.readthedocs.org/en/latest/handlers.html#file-handlers>

We currently have 5 outstanding reviews for CSP:

https://critic.hoppipolla.co.uk/r/118
https://critic.hoppipolla.co.uk/r/119
https://critic.hoppipolla.co.uk/r/120
https://critic.hoppipolla.co.uk/r/123

They all need a lot of fixups to fit well in the wptserve-world. If you
want, I can try to do the simplest test I can see there,
https://critic.hoppipolla.co.uk/r/123, so that we have a start.

Polishing up, -- logging what has been tested/not tested, porting these
tests to wptserve is very clear steps, and fits very well into Test the
Web Forward. Often people have problems knowing what to do. Also, once
someone knows what is tested, -- other, new tests can be written.

But it'd be very sad if we were to create even more backlog for
ourselves by not doing them directly as they should be in WPT from the
start.

HTTPS stuff is missing from the simple wptserve setup though, you'd
still need to set up a server et al. for that. :/

-- 
  Odin Hørthe Omdal
  odinho@opera.com

Received on Wednesday, 4 June 2014 19:25:00 UTC