From 2e1dff91a30eb77546f3d2435bf7408e9bafad83 Mon Sep 17 00:00:00 2001 From: Jonathan Hodgson Date: Wed, 9 Dec 2020 16:39:11 +0000 Subject: [PATCH] BIN: analyse-headers: note on x-frame-options if frame-ancestors present If the frame-ancestors content security policy is present, the x-frame-options warning mentions that the content security helps mitigate against clickjacking although for greater browser support, x-frame-options should also be used Thanks for the suggestion --- bin/.bin/webtest/analyse-headers | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/bin/.bin/webtest/analyse-headers b/bin/.bin/webtest/analyse-headers index dc96b0e0..d0337bfe 100755 --- a/bin/.bin/webtest/analyse-headers +++ b/bin/.bin/webtest/analyse-headers @@ -117,10 +117,10 @@ test_x-frame-options(){ "SAMEORIGIN"|"DENY") return 0 ;; "ALLOW-FROM"*) echo "X-Frame-Opitons" | drawInBox - wecho "The ALLOW-FROM derivative is obsolete and no longer works \ -in modern browsers." - wecho "The Content-Security-Policy HTTP header has a \ -frame-ancestors directive which you can use instead." + wecho -e "The ALLOW-FROM derivative is obsolete and no longer works \ +in modern browsers.\n\n" + wecho -e "The Content-Security-Policy HTTP header has a \ +frame-ancestors directive which you can use instead.\n\n" return 1 ;; *) @@ -131,6 +131,14 @@ indicate whether or not a browser should be allowed to render a page in a \ click-jacking attacks, by ensuring that their content is not embedded into \ other sites." + if echo "$headers" | + grep -Eqi '^content-security-policy:.*frame-ancestors.*'; then + wecho "It looks like the content security policy contains the \ +frame ancestors directive. This also mitigates against the clickjacking \ +although browser support isn't as strong meaning you should still include the \ +x-frame-options header" + fi + source="