03. May 2022
Testing Content Security Policy (CSP) protected web pages with Firefox
The Content Security Policies are a powerful tool to make cross site scripting attacks on web sites and web applications difficult. The web server sends response headers with one or more
Unfortunately, this is no longer possible as easily with Firefox since version 99 - with the result that QF-Test will come up with a
DocumentNotLoaded exception for applications thus protected.
In order to avoid the problem, basically, you have three options:
- Execute the web application in a "test mode" without CSP headers.
- Remove the CSP headers via a proxy.
- Remove the CSP headers via a browser add-on.
Execute the application in "test mode"
The "test mode" is the best solution when you have influence on the web application - starting the application on a test server in a special, "CSP free" mode. Then, the problems will not occur anymore when testing with QF-Test.
Remove the CSP headers via proxy
At the start of a web test you can specify a proxy via which to load the web pages in the parameters
proxyPort of the procedure call to
qfs.web.browser.settings.doStartupSettings. In the proxy you can then remove the impeding response headers, for example with nginx, squid, mitmproxy or with the Java proxy browsermob-proxy which can even be configured via SUT scripts.
Remove the CSP headers via browser add-on
- Create a new setup sequence with the quickstart assistant of QF-Test opening the test page https://content-security-policy.com/browser-test/. When all the boxes on the page are shown in red everything is all right (for the test), if they are green CSP is not being ignored.
- Navigate in that browser to the installation site of the add-on, for example https://addons.mozilla.org/de/firefox/addon/simple-modify-header/. Since QF-Test uses a dedicated profile for the tests it is important the installation will be done with QF-Test profile.
- Install the add-on via the button "Add to Firefox".
- Now, an icon for configuration will appear next to the URL on the right. Click it to open the configuration page (if the browser starts to flicker you can close the first tab).
- Define a rule valid for all URLs ("Url Patterns*: *"), with the action "Delete", the Header Field Name
Content-Security-Policyand an empty Header Field Value being applied on server responses ("Apply on Response"). Click on "Save".
- With "simple modify headers" you then have to activate the add-on via the "START" icon.
- Now, when you close the browser and run the setup sequence again, the boxes on the test page should all be red.
- And now, even with CSP protected applications you should not encounter any CSP problems anymore with testing.