Content Security Policy (CSP) is an additional layer of security protection that can significantly reduce the risk and impact of web injection attacks like XSS on modern browsers. At Yahoo we are serious with enabling CSP on all major properties and have made significant progress towards that goal. Setting the CSP policy and fine tuning it is a challenge because of feature and implementation disparities between versions or browsers. csptester.io is a tool to test policy behavior across multiple browsers, learn CSP and understand disparities.

What is CSPTESTER.IO?

csptester.io is a Node.js-based web app that can frame a user’s HTML content and allow them to test CSP policies in a browser of their choice to see what fails/works. You may optionally even try XSS attacks against your code.

Features

• It’s a web app; not a browser plugin - makes it easy to test CSP behavior across all modern browsers
• Ability to render your HTML code on iframe and top-level window
• Report-only and enforce mode options. Try an alert() in your code to see report-only and enforce in action!
• Shareable links - to share with other users or to repeat the test on a different browser
• Preloaded with curated subset of WebKit/Chrome CSP tests to test various CSP features
• CSP HTML meta tag support (FF doesn’t support it yet!)

What’s more?

csp-validator.js is a phantomjs based command-line script to validate CSP policy for the given URL. You may find this script useful during the web application build/CICD (integration testing) phase to validate CSP policy to make sure your web page complies with the defined policy, before it gets deployed to production.

We’re pleased to share csptester with the community, and collaborate with others on this project. If you’d like to start contributing, don’t hesitate to fork our repo or open an issue at https://github.com/yahoo/csptester

Binu Ramakrishnan (@securitysauce) - Security Engineer, Yahoo Mail