jab2870/Dotfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Improve handling of CSP

Browse source 
Although I'd like to re-do the csp handling, this change fixes the
detection of unsafe-inline and unsafe-eval.
This commit is contained in:
Jonathan Hodgson 2021-01-11 12:16:18 +00:00
parent e77aa36e70
commit 3f01926ab6
1 changed files with 18 additions and 12 deletions
Download patch file Download diff file Expand all files Collapse all files

30
bin/.bin/webtest/analyse-headers
View file

@ -190,8 +190,9 @@ text-align: center;
test_content-security-policy(){ test_content-security-policy(){
local value local value
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)"
# TODO: work on content security testing # TODO: work on content security testing
local message=""
if [ -z "$value" ]; then if [ -z "$value" ]; then
echo "Content-Security-Policy" | drawInBox echo "Content-Security-Policy" | drawInBox
@ -201,18 +202,23 @@ given page. With a few exceptions, policies mostly involve specifying server \
origins and script endpoints. This helps guard against cross-site scripting \ origins and script endpoints. This helps guard against cross-site scripting \
attacks (XSS).\n\n" attacks (XSS).\n\n"
return 2 return 2
elif echo "$value" | grep -q 'unsafe-inline'; then else
if echo "$value" | grep -q 'unsafe-inline'; then
message+="The content security policy includes the \
${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \
This prevents the content security policy from effectively mitigating against
reflected or stored XSS attacks\n\n"
elif echo "$value" | grep -q 'unsafe-eval'; then
message+="The content security policy includes the \
${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \
This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n"
fi
fi
if [ -n "$message" ]; then
echo "Content-Security-Policy" | drawInBox echo "Content-Security-Policy" | drawInBox
wecho -e "The content security policy includes the \ message="$(echo "$message" | tr -d '\t')"
${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \ wecho -e "$message"
This prevents the content security policy from effectively mitigating against
reflected or stored XSS attacks\n\n"
elif echo "$value" | grep -q 'unsafe-eval'; then
echo "Content-Security-Policy" | drawInBox
wecho -e "The content security policy includes the \
${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \
This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n"
fi fi
return 0 return 0
} }