InformAction Forums

NoScripters and WebSec nerds of all lands, unite!
https://forums.informaction.com/

CSP test demo

https://forums.informaction.com/viewtopic.php?t=2762

Page 1 of 1

CSP test demo

Posted: Fri Oct 02, 2009 6:36 pm
by luntrus
Hi NS forum friends,

When I visit: http://people.mozilla.org/~bsterne/cont ... y/demo.cgi
to test my Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a1pre) Gecko/20090929 Minefield/3.7a1pre ID:20090929160423 for the workings of CSP I have to allow the site in NS to make the test work.
If NS is active I will get a FAIL, else PASS

How can I benefit from CSP coming to the browser (and on a server near me) with NS active?

luntrus

Re: CSP test demo

Posted: Fri Oct 02, 2009 6:52 pm
by Giorgio Maone
No idea.
What's failing, exactly?

Re: CSP test demo

Posted: Fri Oct 02, 2009 7:39 pm
by luntrus
Hi Giorgio Maone,

On the demo page http://people.mozilla.org/~bsterne/cont ... c-test.cgi
there is this script:

Code: Select all

function passTest() {
  var r = document.getElementById("result");
  r.style.color = "#080";
  r.textContent = "PASS";
}
var i = document.getElementById("badImage");
i.onerror = passTest;
i.src = "http://hackmill.com/csp/tests/resources/1x1.gif";
If I don't allow Mozilla.org I get FAIL, if I temporarily allow Mozilla.org I get PASS
So the working of CSP in the browser is dependent on whether I allow script to be executed for Mozilla.org.
The same goes for the demo part of the page:

Code: Select all

<!-- "X-Content-Security-Policy: allow 'self'" -->
<html>
<head>
<style>
#result { color: #080; }
</style>
</head>
<body>
<h1 id="result">PASS</h1>
<script type="text/javascript" src="script/eval-script-test.js"></script>
</body>
</html>
If I do not allow Mozilla.org for that test page, it won't even open. So CSP is only functional when script for the CSP authorized part of the website is allowed (and only authorized script from the web-server can be run - the main bi-functional anti-cross-site scripting functionality).
So CSP in my opinion is a last line defense security when script is allowed by NS or on NS-white-listed sites, else NS overrides the CSP functionality and provides equal security. Did I fully understand that?

luntrus

Re: CSP test demo

Posted: Fri Oct 02, 2009 7:58 pm
by Giorgio Maone
Wrong assumptions, luntrus.
The tests depend on JavaScript to be enabled, not the features.
CSP is working correctly, it's just the test page which is unable to tell this until you enable Javascript.

Re: CSP test demo

Posted: Sat Oct 03, 2009 10:46 am
by luntrus
Hi Giorgio Maone,

Understood, CSP functions, JS blocked to view the test page,

luntrus
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited