Hi NS forum friends,
When I visit: http://people.mozilla.org/~bsterne/cont ... y/demo.cgi
to test my Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090929 Minefield/3.7a1pre ID:20090929160423 for the workings of CSP I have to allow the site in NS to make the test work.
If NS is active I will get a FAIL, else PASS
How can I benefit from CSP coming to the browser (and on a server near me) with NS active?
luntrus
CSP test demo
CSP test demo
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090929 Minefield/3.7a1pre
-
Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: CSP test demo
No idea.
What's failing, exactly?
What's failing, exactly?
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Re: CSP test demo
Hi Giorgio Maone,
On the demo page http://people.mozilla.org/~bsterne/cont ... c-test.cgi
there is this script:
If I don't allow Mozilla.org I get FAIL, if I temporarily allow Mozilla.org I get PASS
So the working of CSP in the browser is dependent on whether I allow script to be executed for Mozilla.org.
The same goes for the demo part of the page:
If I do not allow Mozilla.org for that test page, it won't even open. So CSP is only functional when script for the CSP authorized part of the website is allowed (and only authorized script from the web-server can be run - the main bi-functional anti-cross-site scripting functionality).
So CSP in my opinion is a last line defense security when script is allowed by NS or on NS-white-listed sites, else NS overrides the CSP functionality and provides equal security. Did I fully understand that?
luntrus
On the demo page http://people.mozilla.org/~bsterne/cont ... c-test.cgi
there is this script:
Code: Select all
function passTest() {
var r = document.getElementById("result");
r.style.color = "#080";
r.textContent = "PASS";
}
var i = document.getElementById("badImage");
i.onerror = passTest;
i.src = "http://hackmill.com/csp/tests/resources/1x1.gif";
So the working of CSP in the browser is dependent on whether I allow script to be executed for Mozilla.org.
The same goes for the demo part of the page:
Code: Select all
<!-- "X-Content-Security-Policy: allow 'self'" -->
<html>
<head>
<style>
#result { color: #080; }
</style>
</head>
<body>
<h1 id="result">PASS</h1>
<script type="text/javascript" src="script/eval-script-test.js"></script>
</body>
</html>So CSP in my opinion is a last line defense security when script is allowed by NS or on NS-white-listed sites, else NS overrides the CSP functionality and provides equal security. Did I fully understand that?
luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090929 Minefield/3.7a1pre
-
Giorgio Maone
- Site Admin
- Posts: 9454
- Joined: Wed Mar 18, 2009 11:22 pm
- Location: Palermo - Italy
- Contact:
Re: CSP test demo
Wrong assumptions, luntrus.
The tests depend on JavaScript to be enabled, not the features.
CSP is working correctly, it's just the test page which is unable to tell this until you enable Javascript.
The tests depend on JavaScript to be enabled, not the features.
CSP is working correctly, it's just the test page which is unable to tell this until you enable Javascript.
Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Re: CSP test demo
Hi Giorgio Maone,
Understood, CSP functions, JS blocked to view the test page,
luntrus
Understood, CSP functions, JS blocked to view the test page,
luntrus
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Iron/3.0.197.0 Safari/532.0