NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0625:  Test Clarification: BROWSER_EP FDP_ACF_EXT.1 Test Effort

Publication Date
2022.03.25

Protection Profiles
PP_APP_WEBBROWSER_EP_v2.0

Other References
FDP_ACF_EXT.1.1

Issue Description

The tests for FDP_ACF_EXT.1.1 need clarification in the following areas: 

There is ambiguity in the level of effort required to show a script “cannot access session storage associated with a different window/tab.” 

The Test setup specifies “different domains using different protocols and/or ports;” however, Test 1 does not make any use of “different domains using different protocols and/or ports.” Also, the test does not include “for each” statements. 

Resolution

The tests for FDP_ACF_EXT.1.1 in the Application Software Extended Package for Web Browsers v2.0 are replaced with:

Tests

The evaluator shall obtain or create JavaScript-­based scripts that store and retrieve information from local and session storage. The evaluator shall set up a web server with two or more web pages from different domains (e.g., test1.example.com and test2.example.com) with at least one of the domains served from multiple ports (e.g., port 80 and port 443). The evaluator shall incorporate the scripts into the web pages. The web pages will be opened in a manner that creates a relationship allowing for a JavaScript object handle to refer from one window to the the other (e.g., window.parent, window.opener, etc). The evaluator shall perform the following tests:

Test 1: The evaluator shall open both pages ensuring that they are loaded from the same domain using the same port. The evaluator shall verify that the script is unable to access session storage through a window relationship handle (e.g., window.opener.sessionStorage).

Test 2: The evaluator shall open both pages ensuring that they are loaded from different domains. The evaluator shall verify that the script is unable to access session storage through a window relationship handle (e.g., window.opener.sessionStorage).

Test 3: The evaluator shall open both pages ensuring that they are loaded from the same domain using different ports. The evaluator shall verify that the script is unable to access session storage through a window relationship handle (e.g., window.opener.sessionStorage).

 

 

Justification

See Issue Description

 
 
Site Map              Contact Us              Home