Test Assertions for Content Security Policy
This page documents the test assertions for the Content Security Policy specification [1].
Comments:
In the CSP Level 2 spec PING ("hyperlink auditing") shows up under
form-action[1]. In Fetch it's listed as connect-src[2]. Both Fetch and
CSP2 put sendBeacon() under connect-src.
Generic Test Assertions for CSP Level 2
|
Assertion
|
Test Status
|
0.1
|
default-src directive cascades to appropriate policies: script-src, object-src, style-src, img-src, media-src, frame-src, font-src, connect-src
|
bhill
|
0.2
|
'self' keyword positive test
|
ryan
|
0.2.1
|
'self fails with different scheme
|
TBD
|
0.2.2
|
'self' fails with a different port
|
ryan
|
0.2.3
|
'self' fails with a different host (including sub-host e.g. foo.com as self with content from bar.foo.com)
|
ryan
|
0.4
|
test implicit scheme for a source: succeeds http -> https
|
TBD
|
0.6
|
test implicit scheme for a source: fails https -> http
|
TBD
|
0.7
|
UNASSIGNED put your idea here - Is there any reliable way to test IPv4 and IPv6 host expressions?
|
TBD
|
0.8
|
test wildcard host name matching (e.g. *.foo.com is good, www*.foo.com is bad, *www.foo.com is ???)
|
ryan
|
0.9
|
test wildcard port number matching
|
ryan
|
0.10
|
test implicit port number and explicit port number matching
|
ryan
|
0.11
|
UNASSIGNED - put your test case idea here
|
TBD
|
0.12
|
Parsing of source list and policies - semicolons, commas, URL encoded and not, etc.
|
TBD
|
0.13
|
Verify that policies enforced for an owning document are also enforced for a Web Worker run by that document
|
TBD
|
0.14
|
Verify policy combination logic - multiple policies combine in a least-privilege manner
|
TBD
|
0.15
|
Verify policy combination logic - enforced and report-only policies do not interfere with each other
|
TBD
|
0.16
|
Verify policy combination logic - multiple policies with different enforcement and different report-uris
|
TBD
|
0.17
|
Verify that cross-origin report fetch uses anonymous request, does not accept cookies, headers are appropriately stripped
|
bhill
|
0.18
|
Test "dangerous" report-uris - what happens if we use javascript: for reporting? Should only be able to invoke fetch algorithm, not be handled outside the browser. what about ftp:, tel: ? maybe should have to match the scheme the page was loaded over? (what about loading something with file:/// ??)
|
TBD
|
0.19
|
Verify that URL restriction rules correctly handle cross-domain redirects.
|
TBD
|
0.20
|
What happens with source expression combination: "https: www.webappsec-test.org" applied to an http resource and attempting to load something from http://www.webappsec-test.org/ ?
|
|
0.21
|
Are http://foo.com/ and http://foo.com:80/ same origin?
|
|
0.22
|
Are http://foo.com/ and http://foo.com./ same origin?
|
|
0.23
|
Test 'none' keyword source
|
|
0.24
|
Test 'none' keyword source
|
|
0.25
|
Test 'none' keyword source
|
|
0.26
|
Verify behavior of LINK rel=preload header with CSP Header
|
|
0.27
|
Verify behavior of LINK rel=preload header with CSP meta
|
|
0.2
|
Verify behavior of invalid URL characters in directives, invalid URLs generally
|
|
N/A
|
test port matching with non-digits (e.g. octal, hex) - browsers appear not to accept this syntax, so nothing to test
|
|
Test Assertions for script-src directive
|
Assertion
|
Test Status
|
1.1
|
Inline script does not execute with script-src and only 'self' on src list.
|
bhill2
|
1.2
|
Inline script does not execute with script-src and * src list.
|
bhill2
|
1.2.1
|
Inline script created with .innerHtml, .outerHtml, document.write(), document.writeln(), createElement() does not execute without 'unsafe-inline'
|
bhill2
|
1.2.3
|
Inline event handler onLoad() does not execute without 'unsafe-inline' in the src list
|
(Legacy: bhill2, /submitted/WG/CSP_1_2.php, /submitted/WG/CSP_1_1.php)
|
1.2.4
|
XSLT style sheets do not execute with script-src and * src list.
|
(Legacy: bhill2, /submitted/WG/CSP_1_2_4.php)
|
1.3
|
Inline script does execute with script-src and 'unsafe-inline' in src list.
|
bhill2
|
1.4
|
Inline script using operator eval, function eval does not execute with script-src, 'unsafe-inline' in src list, but without 'unsafe-eval'.
|
bhill2
|
1.4.1
|
Eval equivalents in inline script do not execute without 'unsafe-eval'. setTimeout and setInterval with non-callable first argument
|
bhill2
|
1.4.2
|
Function as a constructor does not execute without 'unsafe-eval'.
|
bhill2
|
1.5
|
Sourced script using operator eval, function eval does not execute with script-src, 'unsafe-inline' in src list, but without 'unsafe-eval'.
|
(Legacy: bhill2, /submitted/WG/CSP_1_5.php)
|
1.5.1
|
Eval equivalents in sourced script do not execute without 'unsafe-eval'. setTimeout and setInterval with non-callable first argument, Function as a constructor
|
(Legacy: bhill2, /submitted/WG/CSP_1_5_1.php, /submitted/WG/CSP_1_5_2.php)
|
1.6
|
External scripts not in the script-src src list do not execute.
|
(Legacy: bhill2, /submitted/WG/CSP_1_6.php)
|
1.7
|
javascript: uris do not execute without 'unsafe-inline' in the script-src src list.
|
(Legacy: bhill2, /submitted/WG/CSP_1_7.php)
|
1.8
|
bookmarklets correctly execute without 'unsafe-inline' in the script-src src list.
|
TBD
|
1.9
|
Worker and SharedWorker cannot be constructed with scripts not in the script-src list.
|
TBD
|
1.9.1
|
Worker and SharedWorker inherit the CSP policy of the instantiating resource.
|
TBD
|
1.9.2
|
Worker and SharedWorker : what happens if they get their own policy when created from a remote resource?
|
TBD
|
1.10
|
Script sourced from a data: uri does not execute unless that scheme is in the script-src src list
|
(Legacy: bhill2, /submitted/WG/CSP_1_10.php)
|
1.10.1
|
Script sourced from a data: uri does execute when that scheme is in the script-src src list
|
(Legacy: bhill2, /submitted/WG/CSP_1_10_1.php)
|
1.11
|
Script sourced from inside the page using createObjectURL does not execute without unsafe-inline
|
TBD
|
1.12
|
Can javascript: urls be whitelisted with hash / nonce?
|
TBD
|
Test Assertions for object-src directive
|
Assertion
|
Test Status
|
2.1
|
data attribute of object element
|
|
2.2
|
src attribute of embed element
|
|
2.3
|
code or archive attribute of applet elemlent
|
|
2.4
|
navigating embedded objects directly in a nested browsing context (http://www.w3.org/TR/html5/browsers.html#nested-browsing-contexts)
|
|
2.5
|
plugin itself must not load if the associate URI is forbidden
|
|
Test Assertions for style-src directive
|
Assertion
|
Test Status
|
3.1
|
ignores inline style elements without 'unsafe-inline'
|
astearns
|
3.2
|
ignores inline style attributes without 'unsafe-inline'
|
imelven
|
3.3
|
href of link with rel=stylesheet must be in src list
|
imelven
|
3.4
|
@import directive in stylesheet must be in src list
|
astearns
|
3.5
|
style-src does not impact XSLT stylesheet loading
|
TBD
|
Test Assertions for img-src directive
|
Assertion
|
Test Status
|
4.1
|
img element src attribute must match src list
|
TBD
|
4.1.1
|
video element poster attribute must match the src list
|
TBD
|
4.2
|
url() and image() values from CSS properties must match src list
|
TBD
|
4.3
|
href of link with rel=icon must match src list
|
TBD
|
4.4
|
picture element src and srcset must be in src list
|
TBD
|
4.5
|
src attribute of a input element of type image must match src list
|
TBD
|
4.6
|
??? Should we also test <image> in RSS? This is an XML grammar and there are many such, but this is one commonly rendered directly by browsers?
|
TBD
|
Test Assertions for frame-src directive
|
Assertion
|
Test Status
|
5.1
|
iframe element src attribute must match src list
|
terri
|
5.2
|
frame element src attribute must match the src list
|
terri
|
5.3
|
iframe element navigation destination initiated by user click must be on the src list
|
terri
|
5.4
|
iframe element navigation destination initiated by meta-refresh must be on src list
|
terri
|
5.5
|
iframe element navigation by 302 headers and similar must be on src list
|
terri
|
Test Assertions for policy-uri directive
|
Assertion
|
Test Status
|
6.1
|
Ensure that the report-uri follows the CORS spec for cross-domain requests that try to return set-cookie
|
TBD
|
Test Assertions for media-src directive
|
Assertion
|
Test Status
|
7.1
|
video element src attribute must match src list
|
medelibero
|
7.2
|
audio element src attribute must match the src list
|
medelibero
|
7.3
|
track element src attribute must match src list
|
medelibero
|
Test Assertions for sandbox directive
|
Assertion
|
Test Status
|
8.1
|
Delegate to HTML spec for most test cases
|
TBD
|
8.2
|
verify proper behavior for iframe created from blob, srcdoc
|
TBD
|
8.3
|
verify proper behavior for workers created from blob, data
|
TBD
|
* report-only doesn't override enforced policies
* report-only ignored as a meta tag
TODO: meta tag tests
TODO: frame-ancestors tests
TODO: SVG tests?
TODO: MathML tests and script?