Security/CSP/Test Plan
Contents
Test Plan for CSP
This page will outline things that need to be tested to ensure an implementation of the "CSP" security mechanism works properly. This page is currently Under Construction and is being fleshed out slowly.
Testing Basic Restrictions
Via HTTP header install the most relaxed policy, "allow *,data".
- Verify inline script violates policy
- Verify external scripts do not break policy
- Verify failure of string-to-code conversions
Verify failure of string-to-code conversions
- Event listener extraction (string-based callbacks in JS
- eval() breaks
- setTimeout(string, msec) breaks
- setTimeout(identifier, msec) works
- setInterval(string, delay) breaks
- setInterval(identifier, delay) works
- new Function(string) fails
- Other forms of function work:
- x = function() { ... }
- function x() { ... }
- javascript: URI scheme is disallowed
- data: URI scheme is allowed, even in script tags' src attributes.
- MIME-type enforcement for script and JSON is in place
Pre-defined Functions as Event Handlers
Make sure new functions can't be registered as event handlers (but ones pre-defined before load can). In essence, can register new event handlers through Javascript but not HTML.
- foo.onclick = bar; OK
- foo.onclick = "bar"; FAIL
- foo.addEventListener(bar); OK
- foo.addEventListener("bar"); FAIL
XBL restrictions
- Works through chrome: and resource: schemes
- Fails through other schemes (like http:)
Restrictive Policy Testing
Test for false negatives using policy "allow none". Brute force one or two URIs for each directive, including an XHR test to verify the "allow" directive.
Relaxed Policy Testing
Test for false positives using policy "allow none". Brute force one or two URIs for each directive, including an XHR test to verify the "allow" directive. Ensure that data: URIs fail.
Host item/source Testing
(Test parsing of various complex sources, parsing and policy-based use)
Use policy "allow self,https://foo.com:443" and verify:
- wrong port breaks in all directives
- wrong scheme breaks in all directives
- wrong host breaks in all directives
- right source works in all directives
Also verify breakage with XMLHttpRequest (source, port, scheme, all)
Battery of Randomized Complex Policies
Improvise.
Policy Intersection Testing
- Attempt to use META tag to loosen policy, verify failure
- Attempt to use META tag to tighten policy, verify success
- Verify no change when intersecting identical policies
Policy URI
- Policy-URI mixed with other directives: verify failure (fail closed)
- Policy-URI alone in HTTP header, policy in META: verify that the policy is fetched
- Policy-URI alone in META tag, policy in HTTP header: verify fetched policy
- Policy URI alone in only META tag: verify fetched policy
- Policy URI alone in only HTTP header: verify fetched policy
- Policy URI different in META and HTTP: verify both are fetched and intersected
- Policy URI identical in META and HTTP: verify only one is fetched