Closed Bug 915065 (csp-report-uri-tests) Opened 12 years ago Closed 11 years ago

Improve Content Security Policy tests to contain and check json report objects

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: freddy, Unassigned)

References

(Blocks 1 open bug)

Details

It looks like we have very little tests for CSP. Tests could be implemented in several ways, there are currently devtoosl test that check whether a violation message is being emitted. A good test would probably check that - the blocked resource is not being loaded / script is not executed - a meaningful message is logged to the web console - a spec-compliant report is sent We might write a lot of tests, e.g. for each directive, for each possibility to create execute JavaScript from strings etc. If we test for a sane report in each of those cases, we can avoid having to write a big report test and update it regularly.
Could you explain how this is related to Lightning extension? Or did you choose the wrong product?
Core, not Calendar of course. Sorry for the noise!
Product: Calendar → Core
It took me a while to understand (and find) the actual set of CSP tests. The state is not as bad as I thought, sorry. But currently, none of the tests check for the report object being OK...
It looks like I should find a way to update all existing tests to contain some sort of expected report and check if they match (for each). On top, we would also need a generic report test that checks for policy-independent behavior (cookies, redirects, parameters being stripped off of the 'blocked-uri' part, etc.)
Alias: csp-tests → csp-report-uri-tests
Summary: Develop a set of tests for Content Security Policy → Improve Content Security Policy tests to contain and check json report objects
Component: Security → DOM: Security
Hey Frederik, we are triaging CSP bugs. I was wondering if this test is sufficient: http://mxr.mozilla.org/mozilla-central/source/dom/base/test/csp/test_csp_report.html?force=1 or if you are looking for any additional test coverage, if so, please let us know.
Flags: needinfo?(fbraun)
Thanks for bringing this up again. I filed this because I saw a mismatch between our tests and the web platform tests that used to exist on <http://webappsec-test.info/web-platform-tests/csp/> (this link is now outdated!). I think we can resolve this, given that we also have the web-platform-tests in tree now as well. Bug 607067, Bug 879316 and Bug 108465 also changed CSP tests and reporting.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(fbraun)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.