mcauer / browserscope

Automatically exported from code.google.com/p/browserscope
Apache License 2.0
0 stars 0 forks source link

BrowserScope test does NOT actually test Content Security Policy, still report CSP as "FAIL" #350

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
What steps will reproduce the problem?
1. Launch Chromium (31 or above)
2. Go to http://browserscope2.org/?category=security
3. Open dev tools, click Network tab
4. Run the security test
5. Right-click inside the network pane, and click "Copy All as HAR"
6. Paste into a text editor
7. Search for "content-security-policy"

What is the expected output? What do you see instead?

I expect to find a "content-security-policy" header in there, demonstrating 
that a CSP was actually used to test CSP.

No CSP header was found. Meaning the test doesn't actually test CSP, yet still 
report CSP as "FAIL".

What version of the product are you using? On what operating system?

Whatever the version of http://browserscope2.org/?category=security is at time 
of reporting this bug.

Original issue reported on code.google.com by rh...@raymondhill.net on 22 Mar 2014 at 12:22

GoogleCodeExporter commented 8 years ago

Original comment by els...@gmail.com on 24 Mar 2014 at 4:15

GoogleCodeExporter commented 8 years ago
https://code.google.com/p/browserscope/source/browse/trunk/categories/security/h
andlers.py#102 :

    response['X-WebKit-CSP']="default-src 'self'"

Should become:

    response['Content-Security-Policy']="default-src 'self'"

?

Original comment by rh...@raymondhill.net on 5 Apr 2014 at 5:26

GoogleCodeExporter commented 8 years ago

Original comment by els...@gmail.com on 14 Apr 2014 at 7:12