Testing Content Security Policy (CSP) protected web pages with Firefox

The Content Security Policies are a powerful tool to make cross site scripting attacks on web sites and web applications difficult. The web server sends response headers with one or more Content-Security-Policy header rows to the browser, defining explicitly for example which Javascript code may be executed in the context of the web page.

When you test a web application with QF-Test, it has to interact closely with the application in order to recognize the components or to execute checks or to be able to record a test. QF-Test executes for example Javascript code in the context of the web page via the WebDriver interface of QF-Test - and here a strict CSP rule may interfere. Therefore, QF-Test starts the browser in a mode which ignores the content security policy header rows.

Unfortunately, this is no longer possible as easily with Firefox since version 99 - with the result that QF-Test will come up with a DocumentNotLoaded exception for applications thus protected.

In order to avoid the problem, basically, you have three options:

1. Execute the web application in a "test mode" without CSP headers.
2. Remove the CSP headers via a proxy.
3. Remove the CSP headers via a browser add-on.

Execute the application in "test mode"

The "test mode" is the best solution when you have influence on the web application - starting the application on a test server in a special, "CSP free" mode. Then, the problems will not occur anymore when testing with QF-Test.

Remove the CSP headers via proxy

At the start of a web test you can specify a proxy via which to load the web pages in the parameters proxyAddress and proxyPort of the procedure call to qfs.web.browser.settings.doStartupSettings. In the proxy you can then remove the impeding response headers, for example with nginx, squid, mitmproxy or with the Java proxy browsermob-proxy which can even be configured via SUT scripts.

Remove the CSP headers via browser add-on

The third option is to remove the header in the browser via an add-on, for example with ModHeader or with simple-modify-headers. This is the approach recommended by Mozilla developers.

Installation:

1. Create a new setup sequence with the quickstart assistant of QF-Test opening the test page https://content-security-policy.com/browser-test/. When all the boxes on the page are shown in red everything is all right (for the test), if they are green CSP is not being ignored.
2. Navigate in that browser to the installation site of the add-on, for example https://addons.mozilla.org/de/firefox/addon/simple-modify-header/. Since QF-Test uses a dedicated profile for the tests it is important the installation will be done with QF-Test profile.
3. Install the add-on via the button "Add to Firefox".
4. Now, an icon for configuration will appear next to the URL on the right. Click it to open the configuration page (if the browser starts to flicker you can close the first tab).
5. Define a rule valid for all URLs ("Url Patterns*: *"), with the action "Delete", the Header Field Name Content-Security-Policy and an empty Header Field Value being applied on server responses ("Apply on Response"). Click on "Save".
6. With "simple modify headers" you then have to activate the add-on via the "START" icon.
7. Now, when you close the browser and run the setup sequence again, the boxes on the test page should all be red.
8. And now, even with CSP protected applications you should not encounter any CSP problems anymore with testing.