Browserscope security tests

[Guest]

With NoScript, is the below correct for Firefox 3.6.3? Are there any NoScript settings I can change to PASS more of these security tests?

1. PASS postMessage API
2. PASS JSON.parse API
3. FAIL toStaticHTML API
4. PASS httpOnly cookie API
5. PASS X-Frame-Options
6. PASS X-Content-Type-Options
7. FAIL Block reflected XSS
8. PASS Block location spoofing
9. PASS Block JSON hijacking
10. PASS Block XSS in CSS
11. FAIL Sandbox attribute
12. FAIL Origin header
13. PASS Strict Transport Security

http://www.browserscope.org/security/test

[Giorgio Maone]

BrowserScope is not necessarily accurate, and it's quite biased toward Chrome & IE (i.e. it tests for what it expects to find there).
For instance I had to make them correct a bug in their reflected XSS test which did not check for filter effectiveness, but for a Chrome/IE implementation detail.

However the tests which failed on you are:

• FAIL toStaticHTML API - window.toStaticHTML() is a function implemented by IE8 which should serve the purpose of sanitizing a string stripping out "active" HTML (i.e. markup which would trigger a script). Even though there's a RFE to introduce it in Firefox and, IIRC, a similar proposal for HTML 5, I would really prefer it not to fly because the same effect can be obtained by properly using DOM manipulation or a server side function via AJAX. Anyway no serious web site, especially if interoperable, use it, so it's irrelevant. Side note: if I really wanted this test to pass with NoScript, I could easily implement toStaticHTML as a Script Surrogate; maybe I'll do it sooner or later, but as I said I don't care too much.
• FAIL Block reflected XSS - now that I made them fix their buggy test, there's still an obstacle for it to be reported as PASS: you must allow not just browserscope.com, but other two domains (otherwise the frame where the test runs can't communicate with the top window to say NoScript blocked the attack). Easiest way is allowing scripts globally for the time it takes to run the test.
• FAIL Sandbox attribute - the Sandbox attribute for IFrames is drafted by HTML5 and will be probably included in next Firefox major release. Anyway, until web authors start to use it, which won't happen before Firefox has it, it's almost unrelevant. BTW, similar effects could be obtained by using CSP in Firefox or ABE in NoScript, but none of them are tested by browserscope
• FAIL Origin header - same as above: it will be implemented by all the major browsers as part of HTML5 work, it's not used right now so it's almost unrelevant, the same effects can be obtained through ABE.

So, to recap, only 3 of the tests really fail (Reflected XSS is only reported as failure, even though it actually passes), and all 3 the feature are going to be implemented in a future Firefox version, are currently irrelevant and can be emulated by NoScript's features.

[Giorgio Maone]

f I really wanted this test to pass with NoScript, I could easily implement toStaticHTML as a Script Surrogate

Done in latest development build

[dhouwn]

the Sandbox attribute for IFrames is drafted by HTML5 and will be probably included in next Firefox major release.

Doesn't look like it: https://bugzilla.mozilla.org/show_bug.cgi?id=341604

(CSP on the other hand, seems to make steady progress)