BIN: analyse-headers: note on x-frame-options if frame-ancestors present

If the frame-ancestors content security policy is present, the x-frame-options warning mentions that the content security helps mitigate against clickjacking although for greater browser support, x-frame-options should also be used Thanks <Dom Ingram> for the suggestion
4 years ago · 2e1dff91a3
parent 1fabc27b79
commit 2e1dff91a3
1 changed files with 12 additions and 4 deletions
--- a/bin/.bin/webtest/analyse-headers
+++ b/bin/.bin/webtest/analyse-headers
@ -117,10 +117,10 @@ test_x-frame-options(){
 		"SAMEORIGIN"|"DENY") return 0 ;;
 		"ALLOW-FROM"*)
 			echo "X-Frame-Opitons" | drawInBox
-			wecho "The ALLOW-FROM derivative is obsolete and no longer works \
-in modern browsers."
-			wecho "The Content-Security-Policy HTTP header has a \
-frame-ancestors directive which you can use instead."
+			wecho -e "The ALLOW-FROM derivative is obsolete and no longer works \
+in modern browsers.\n\n"
+			wecho -e "The Content-Security-Policy HTTP header has a \
+frame-ancestors directive which you can use instead.\n\n"
 			return 1
 			;;
 		*)
@ -131,6 +131,14 @@ indicate whether or not a browser should be allowed to render a page in a \
 click-jacking attacks, by ensuring that their content is not embedded into \
 other sites."

+			if echo "$headers" |
+				grep -Eqi '^content-security-policy:.*frame-ancestors.*'; then
+				wecho "It looks like the content security policy contains the \
+frame ancestors directive. This also mitigates against the clickjacking \
+although browser support isn't as strong meaning you should still include the \
+x-frame-options header"
+			fi
+
 			source="
 <!DOCTYPE html>
 <html>