BIN: analyse-headers: note on x-frame-options if frame-ancestors present

If the frame-ancestors content security policy is present, the
x-frame-options warning mentions that the content security helps
mitigate against clickjacking although for greater browser support,
x-frame-options should also be used

Thanks <Dom Ingram> for the suggestion
master
Jonathan Hodgson 4 years ago
parent 1fabc27b79
commit 2e1dff91a3
  1. 16
      bin/.bin/webtest/analyse-headers

@ -117,10 +117,10 @@ test_x-frame-options(){
"SAMEORIGIN"|"DENY") return 0 ;;
"ALLOW-FROM"*)
echo "X-Frame-Opitons" | drawInBox
wecho "The ALLOW-FROM derivative is obsolete and no longer works \
in modern browsers."
wecho "The Content-Security-Policy HTTP header has a \
frame-ancestors directive which you can use instead."
wecho -e "The ALLOW-FROM derivative is obsolete and no longer works \
in modern browsers.\n\n"
wecho -e "The Content-Security-Policy HTTP header has a \
frame-ancestors directive which you can use instead.\n\n"
return 1
;;
*)
@ -131,6 +131,14 @@ indicate whether or not a browser should be allowed to render a page in a \
click-jacking attacks, by ensuring that their content is not embedded into \
other sites."
if echo "$headers" |
grep -Eqi '^content-security-policy:.*frame-ancestors.*'; then
wecho "It looks like the content security policy contains the \
frame ancestors directive. This also mitigates against the clickjacking \
although browser support isn't as strong meaning you should still include the \
x-frame-options header"
fi
source="
<!DOCTYPE html>
<html>

Loading…
Cancel
Save