Security/Origin:Test Plan

From MozillaWiki
Jump to: navigation, search

Test Plan for Origin Header

This page will outline things that need to be tested to ensure an implementation of the "Origin" header (or whatever we have to call it) works properly.

HTML tags/attributes that cause HTTP requests

Standard URI tag attributes common to all HTML5 tags:

Attribute Description
ref Reference to another document or part of the document (only if the template attribute is set)
template Reference to another document or part of the document that should be applied to an element

Non-standard attributes

Tag Attribute HTML v. Request When Origin Value Sent
a href 4, 5 when clicked "null"
ping 5 when clicked "null"
area href 4, 5 when clicked "null"
ping 5 when clicked "null"
audio src 5 on play "null"?
blockquote cite 4, 5  ?  ?
body background 4 on render (deprecated) "null"
command icon 5 on render "null"
del cite 4, 5  ?  ?
embed src 5 on render origin
eventsource src 5 on load, and repeated ?? origin ?
form action 4, 5 submit/click origin
data 5 on render "null"?
frame longdesc 4 on render (deprecated) origin ?
src 4 on render (deprecated) origin
html manifest 4, 5 on render (fetches cache manifest) "null"
iframe longdesc 4 on render (not supported) "null" ?
src 4, 5 on render origin
img src 4, 5 on render "null"
ismap 4, 5 on click ? "null"
longdesc 4 on render (not supported) "null"
usemap 4, 5 on render ? "null"
input src 4, 5 on render (image button) "null"
ins cite 4, 5  ?  ?
link href 4, 5 on parse "null" ?
object archive 4 on render "null"
codebase 4 on render "null"
data 4, 5 on render "null"
usemap 4, 5 on render "null"
q cite 4, 5  ?  ?
script src 4, 5 on render origin
select data 5 on parse origin
source src 5 on parse  ?
video src 5 on play "null"
poster 5 on render "null"

JavaScript expressions that cause an HTTP request

window.location
window.open
...

TODO

Frame-nesting Scenarios

Because the list of frame ancestors is sent in a header, we must make sure that the appropriate origin data is sent even when the target of the request is deep inside a set of frames. The following scenarios will be checked:

TODO: images for the following where A is the frame target for the request

  • A alone (origin only)
  • B embeds A (origin + B)
  • B embeds both C and A as siblings (origin + B)
  • C embeds B and D, B embeds A (origin + C B)
  • B embeds A, A embeds C (origin + B)
  • C embeds B, B embeds A (origin + C B)

Planning/deployment of a Test Suite

TODO