diff --git a/bin/.bin/webtest/analyse-headers b/bin/.bin/webtest/analyse-headers index dc96b0e0..d0337bfe 100755 --- a/bin/.bin/webtest/analyse-headers +++ b/bin/.bin/webtest/analyse-headers @@ -117,10 +117,10 @@ test_x-frame-options(){ "SAMEORIGIN"|"DENY") return 0 ;; "ALLOW-FROM"*) echo "X-Frame-Opitons" | drawInBox - wecho "The ALLOW-FROM derivative is obsolete and no longer works \ -in modern browsers." - wecho "The Content-Security-Policy HTTP header has a \ -frame-ancestors directive which you can use instead." + wecho -e "The ALLOW-FROM derivative is obsolete and no longer works \ +in modern browsers.\n\n" + wecho -e "The Content-Security-Policy HTTP header has a \ +frame-ancestors directive which you can use instead.\n\n" return 1 ;; *) @@ -131,6 +131,14 @@ indicate whether or not a browser should be allowed to render a page in a \ click-jacking attacks, by ensuring that their content is not embedded into \ other sites." + if echo "$headers" | + grep -Eqi '^content-security-policy:.*frame-ancestors.*'; then + wecho "It looks like the content security policy contains the \ +frame ancestors directive. This also mitigates against the clickjacking \ +although browser support isn't as strong meaning you should still include the \ +x-frame-options header" + fi + source="