W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: [webappsec] Help build the CSP test suite at Test the Web Forward Portland, August 3

From: Hill, Brad <bhill@paypal.com>
Date: Wed, 4 Jun 2014 19:41:28 +0000
To: Odin HÝrthe Omdal <odinho@opera.com>
CC: WebAppSec WG <public-webappsec@w3.org>, "public-webappsec-testsuite@w3.org" <public-webappsec-testsuite@w3.org>
Message-ID: <A3E098E8-33A0-42CF-872F-21A8F4B7F336@paypal.com>
Yes,

As I've mentioned before during the requirements and development phase of wptserve, CSP is a bit more complex than most specs in its test requirements and I'm not sure the environment has what we need.  

I'd love it if we could make this work, and maybe I don't understand all of what the new framework can do, but here's a few things we need:

1) Wildcard, or at least multiple-cname, TLS support.  This is absolutely critical for the scenarios where CSP actually matters and will be deployed.

2) The ability to not only set headers, but to access the value of the headers from within the tests. (e.g. to compare reports vs. the policies that were set) In PHP this is simple.  I don't know if one can do this with the .headers file approach.

3) We also need to test that reports are sent correctly.  Right now, We have a support PHP script that actually writes to temp files on disk and then allows the test case to call back and see what the results were.  I tried an earlier version that wrote the reports to a cookie, but some user agents use an anonymous fetch for report sending and so discard cookies and all other response data, so I had to fall back to server-side state. I have no idea if it is possible to do this with wptserve.

This is why I'm running an AWS server at my own cost so I can provide a turn-key environment for people who want to contribute tests, with all the necessary setup done, including a valid wildcard TLS certificate. 

If there's a better way that we can get a simpler setup working before TTWF, I'd love to hear it, but I'm not sure there is.

-Brad

On Jun 4, 2014, at 12:24 PM, Odin HÝrthe Omdal <odinho@opera.com> wrote:

> On Wed, Jun 4, 2014, at 20:46, Brad Hill wrote:
>> Ian Melvin and I are hosting a Test the Web Forward event on August 3rd
>> in Portland, the Sunday following the CascadiaJS conference.
> 
> Nice!
> 
>> http://testthewebforward.org/events/2014/portland.html
> 
> But you say PHP there?
> 
> It would be very sad to create new tests using PHP, when we haven't even
> ported the ones that exist to the new simpler and more powerful wptserve
> (Python based).
> 
> Actually we have exactly zero CSP tests in web platform tests atm.  That
> really is too bad.  We should at least have a folder with one test that
> is well-written and with a good python-script that can return what you
> specify from the http-file.  Not unlike how the CORS tests are done.
> 
> Actually, I think that many CSP tests can be done without any code at
> all, most are just setting headers and can do the test itself in
> Javascript. The headers can be set using a simple
> `<yourfilename>.headers` or `__dir__.headers` file [0].
> 
>  0.
>  <http://wptserve.readthedocs.org/en/latest/handlers.html#file-handlers>
> 
> 
> We currently have 5 outstanding reviews for CSP:
> 
> https://critic.hoppipolla.co.uk/r/118
> https://critic.hoppipolla.co.uk/r/119
> https://critic.hoppipolla.co.uk/r/120
> https://critic.hoppipolla.co.uk/r/123
> 
> 
> They all need a lot of fixups to fit well in the wptserve-world. If you
> want, I can try to do the simplest test I can see there,
> https://critic.hoppipolla.co.uk/r/123, so that we have a start.
> 
> 
> Polishing up, -- logging what has been tested/not tested, porting these
> tests to wptserve is very clear steps, and fits very well into Test the
> Web Forward. Often people have problems knowing what to do. Also, once
> someone knows what is tested, -- other, new tests can be written.
> 
> But it'd be very sad if we were to create even more backlog for
> ourselves by not doing them directly as they should be in WPT from the
> start.
> 
> 
> HTTPS stuff is missing from the simple wptserve setup though, you'd
> still need to set up a server et al. for that. :/
> 
> -- 
>  Odin HÝrthe Omdal
>  odinho@opera.com
> 
Received on Wednesday, 4 June 2014 19:41:58 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC