CSP test demo

General discussion about the NoScript extension for Firefox
Post Reply
luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

CSP test demo

Post by luntrus » Fri Oct 02, 2009 6:36 pm

Hi NS forum friends,

When I visit: http://people.mozilla.org/~bsterne/cont ... y/demo.cgi
to test my Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090929 Minefield/3.7a1pre ID:20090929160423 for the workings of CSP I have to allow the site in NS to make the test work.
If NS is active I will get a FAIL, else PASS

How can I benefit from CSP coming to the browser (and on a server near me) with NS active?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090929 Minefield/3.7a1pre

User avatar
Giorgio Maone
Site Admin
Posts: 8830
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: CSP test demo

Post by Giorgio Maone » Fri Oct 02, 2009 6:52 pm

No idea.
What's failing, exactly?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: CSP test demo

Post by luntrus » Fri Oct 02, 2009 7:39 pm

Hi Giorgio Maone,

On the demo page http://people.mozilla.org/~bsterne/cont ... c-test.cgi
there is this script:

Code: Select all

function passTest() {
  var r = document.getElementById("result");
  r.style.color = "#080";
  r.textContent = "PASS";
}
var i = document.getElementById("badImage");
i.onerror = passTest;
i.src = "http://hackmill.com/csp/tests/resources/1x1.gif";
 

If I don't allow Mozilla.org I get FAIL, if I temporarily allow Mozilla.org I get PASS
So the working of CSP in the browser is dependent on whether I allow script to be executed for Mozilla.org.
The same goes for the demo part of the page:

Code: Select all

<!-- "X-Content-Security-Policy: allow 'self'" -->
<html>
<head>
<style>
#result { color: #080; }
</style>
</head>
<body>
<h1 id="result">PASS</h1>
<script type="text/javascript" src="script/eval-script-test.js"></script>
</body>
</html>

If I do not allow Mozilla.org for that test page, it won't even open. So CSP is only functional when script for the CSP authorized part of the website is allowed (and only authorized script from the web-server can be run - the main bi-functional anti-cross-site scripting functionality).
So CSP in my opinion is a last line defense security when script is allowed by NS or on NS-white-listed sites, else NS overrides the CSP functionality and provides equal security. Did I fully understand that?

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090929 Minefield/3.7a1pre

User avatar
Giorgio Maone
Site Admin
Posts: 8830
Joined: Wed Mar 18, 2009 11:22 pm
Location: Palermo - Italy
Contact:

Re: CSP test demo

Post by Giorgio Maone » Fri Oct 02, 2009 7:58 pm

Wrong assumptions, luntrus.
The tests depend on JavaScript to be enabled, not the features.
CSP is working correctly, it's just the test page which is unable to tell this until you enable Javascript.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)

luntrus
Senior Member
Posts: 237
Joined: Sat Mar 21, 2009 6:29 pm

Re: CSP test demo

Post by luntrus » Sat Oct 03, 2009 10:46 am

Hi Giorgio Maone,

Understood, CSP functions, JS blocked to view the test page,

luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Iron/3.0.197.0 Safari/532.0

Post Reply