Test Assertions For Content Security Policy

From Web Security

Test Assertions for Content Security Policy

This page documents the test assertions for the Content Security Policy specification [1].


Comments:

In the CSP Level 2 spec PING ("hyperlink auditing") shows up under form-action[1]. In Fetch it's listed as connect-src[2]. Both Fetch and CSP2 put sendBeacon() under connect-src.


Generic Test Assertions for CSP Level 2

Assertion Test Status
0.1 default-src directive cascades to appropriate policies: script-src, object-src, style-src, img-src, media-src, frame-src, font-src, connect-src bhill
0.2 'self' keyword positive test ryan
0.2.1 'self fails with different scheme TBD
0.2.2 'self' fails with a different port ryan
0.2.3 'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com) ryan
0.4 test implicit scheme for a source: succeeds http -> https TBD
0.6 test implicit scheme for a source: fails https -> http TBD
0.7 UNASSIGNED put your idea here - Is there any reliable way to test IPv4 and IPv6 host expressions? TBD
0.8 test wildcard host name matching (e.g. *.foo.com is good, www*.foo.com is bad, *www.foo.com is ???) ryan
0.9 test wildcard port number matching ryan
0.10 test implicit port number and explicit port number matching ryan
0.11 UNASSIGNED - put your test case idea here TBD
0.12 Parsing of source list and policies - semicolons, commas, URL encoded and not, etc. TBD
0.13 Verify that policies enforced for an owning document are also enforced for a Web Worker run by that document TBD
0.14 Verify policy combination logic - multiple policies combine in a least-privilege manner TBD
0.15 Verify policy combination logic - enforced and report-only policies do not interfere with each other TBD
0.16 Verify policy combination logic - multiple policies with different enforcement and different report-uris TBD
0.17 Verify that cross-origin report fetch uses anonymous request, does not accept cookies, headers are appropriately stripped bhill
0.18 Test "dangerous" report-uris - what happens if we use javascript: for reporting? Should only be able to invoke fetch algorithm, not be handled outside the browser. what about ftp:, tel: ? maybe should have to match the scheme the page was loaded over? (what about loading something with file:/// ??) TBD
0.19 Verify that URL restriction rules correctly handle cross-domain redirects. TBD
0.20 What happens with source expression combination: "https: www.webappsec-test.org" applied to an http resource and attempting to load something from http://www.webappsec-test.org/ ?
0.21 Are http://foo.com/ and http://foo.com:80/ same origin?
0.22 Are http://foo.com/ and http://foo.com./ same origin?
0.23 Test 'none' keyword source
0.24 Test 'none' keyword source
0.25 Test 'none' keyword source
0.26 Verify behavior of LINK rel=preload header with CSP Header
0.27 Verify behavior of LINK rel=preload header with CSP meta
0.2 Verify behavior of invalid URL characters in directives, invalid URLs generally
N/A test port matching with non-digits (e.g. octal, hex) - browsers appear not to accept this syntax, so nothing to test

Test Assertions for script-src directive

Assertion Test Status
1.1 Inline script does not execute with script-src and only 'self' on src list. bhill2
1.2 Inline script does not execute with script-src and * src list. bhill2
1.2.1 Inline script created with .innerHtml, .outerHtml, document.write(), document.writeln(), createElement() does not execute without 'unsafe-inline' bhill2
1.2.3 Inline event handler onLoad() does not execute without 'unsafe-inline' in the src list (Legacy: bhill2, /submitted/WG/CSP_1_2.php, /submitted/WG/CSP_1_1.php)
1.2.4 XSLT style sheets do not execute with script-src and * src list. (Legacy: bhill2, /submitted/WG/CSP_1_2_4.php)
1.3 Inline script does execute with script-src and 'unsafe-inline' in src list. bhill2
1.4 Inline script using operator eval, function eval does not execute with script-src, 'unsafe-inline' in src list, but without 'unsafe-eval'. bhill2
1.4.1 Eval equivalents in inline script do not execute without 'unsafe-eval'. setTimeout and setInterval with non-callable first argument bhill2
1.4.2 Function as a constructor does not execute without 'unsafe-eval'. bhill2
1.5 Sourced script using operator eval, function eval does not execute with script-src, 'unsafe-inline' in src list, but without 'unsafe-eval'. (Legacy: bhill2, /submitted/WG/CSP_1_5.php)
1.5.1 Eval equivalents in sourced script do not execute without 'unsafe-eval'. setTimeout and setInterval with non-callable first argument, Function as a constructor (Legacy: bhill2, /submitted/WG/CSP_1_5_1.php, /submitted/WG/CSP_1_5_2.php)
1.6 External scripts not in the script-src src list do not execute. (Legacy: bhill2, /submitted/WG/CSP_1_6.php)
1.7 javascript: uris do not execute without 'unsafe-inline' in the script-src src list. (Legacy: bhill2, /submitted/WG/CSP_1_7.php)
1.8 bookmarklets correctly execute without 'unsafe-inline' in the script-src src list. TBD
1.9 Worker and SharedWorker cannot be constructed with scripts not in the script-src list. TBD
1.9.1 Worker and SharedWorker inherit the CSP policy of the instantiating resource. TBD
1.9.2 Worker and SharedWorker : what happens if they get their own policy when created from a remote resource? TBD
1.10 Script sourced from a data: uri does not execute unless that scheme is in the script-src src list (Legacy: bhill2, /submitted/WG/CSP_1_10.php)
1.10.1 Script sourced from a data: uri does execute when that scheme is in the script-src src list (Legacy: bhill2, /submitted/WG/CSP_1_10_1.php)
1.11 Script sourced from inside the page using createObjectURL does not execute without unsafe-inline TBD
1.12 Can javascript: urls be whitelisted with hash / nonce? TBD

Test Assertions for object-src directive

Assertion Test Status
2.1 data attribute of object element
2.2 src attribute of embed element
2.3 code or archive attribute of applet elemlent
2.4 navigating embedded objects directly in a nested browsing context (http://www.w3.org/TR/html5/browsers.html#nested-browsing-contexts)
2.5 plugin itself must not load if the associate URI is forbidden

Test Assertions for style-src directive

Assertion Test Status
3.1 ignores inline style elements without 'unsafe-inline' astearns
3.2 ignores inline style attributes without 'unsafe-inline' imelven
3.3 href of link with rel=stylesheet must be in src list imelven
3.4 @import directive in stylesheet must be in src list astearns
3.5 style-src does not impact XSLT stylesheet loading TBD

Test Assertions for img-src directive

Assertion Test Status
4.1 img element src attribute must match src list TBD
4.1.1 video element poster attribute must match the src list TBD
4.2 url() and image() values from CSS properties must match src list TBD
4.3 href of link with rel=icon must match src list TBD
4.4 picture element src and srcset must be in src list TBD
4.5 src attribute of a input element of type image must match src list TBD
4.6 ??? Should we also test <image> in RSS? This is an XML grammar and there are many such, but this is one commonly rendered directly by browsers? TBD



Test Assertions for frame-src directive

Assertion Test Status
5.1 iframe element src attribute must match src list terri
5.2 frame element src attribute must match the src list terri
5.3 iframe element navigation destination initiated by user click must be on the src list terri
5.4 iframe element navigation destination initiated by meta-refresh must be on src list terri
5.5 iframe element navigation by 302 headers and similar must be on src list terri

Test Assertions for policy-uri directive

Assertion Test Status
6.1 Ensure that the report-uri follows the CORS spec for cross-domain requests that try to return set-cookie TBD

Test Assertions for media-src directive

Assertion Test Status
7.1 video element src attribute must match src list medelibero
7.2 audio element src attribute must match the src list medelibero
7.3 track element src attribute must match src list medelibero

Test Assertions for sandbox directive

Assertion Test Status
8.1 Delegate to HTML spec for most test cases TBD
8.2 verify proper behavior for iframe created from blob, srcdoc TBD
8.3 verify proper behavior for workers created from blob, data TBD

TODO: report-only header tests

 * report-only doesn't override enforced policies
 * report-only ignored as a meta tag

TODO: meta tag tests

TODO: frame-ancestors tests

TODO: SVG tests?

TODO: MathML tests and script?