|
|
|
|
@ -276,7 +276,7 @@ test_permissions-policy(){ |
|
|
|
|
wecho "The Permission-Policy header replaces the Feature-Policy and is \ |
|
|
|
|
used to allow or disallow certain browser features or apis in the interest of \ |
|
|
|
|
security.\n\n" |
|
|
|
|
return 3 |
|
|
|
|
return 2 |
|
|
|
|
fi |
|
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
|
} |
|
|
|
|
@ -287,7 +287,7 @@ test_feature-policy(){ |
|
|
|
|
wecho "The Feature-Policy header was used to allow or disallow certian \ |
|
|
|
|
browser features or apis. It has been superceded by the permissions-policy |
|
|
|
|
header but should still be included for legacy browsers.\n\n" |
|
|
|
|
return 3 |
|
|
|
|
return 2 |
|
|
|
|
fi |
|
|
|
|
if ! echo "$headers" | grep -Eqi '^permissions-policy'; then |
|
|
|
|
echo "Feature-Policy" | drawInBox |
|
|
|
|
@ -295,11 +295,42 @@ header but should still be included for legacy browsers.\n\n" |
|
|
|
|
browser features or apis. It has been superceded by the permissions-policy |
|
|
|
|
header but should still be included for legacy browsers. |
|
|
|
|
It has been highlighted because the Permissions-policy header wasn't found.\n\n" |
|
|
|
|
return 3 |
|
|
|
|
return 2 |
|
|
|
|
fi |
|
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
test_expect-ct(){ |
|
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
|
if [ -z "$1" ]; then |
|
|
|
|
echo "Expect-CT" | drawInBox |
|
|
|
|
wecho "When a site enables the Expect-CT header, they are requesting \ |
|
|
|
|
that the browser check that any certificate for that site appears in public \ |
|
|
|
|
CT logs. |
|
|
|
|
Initially, set the header without the enforce option but with report in order \ |
|
|
|
|
to check for potential breakages\n\n" |
|
|
|
|
return 2 |
|
|
|
|
elif ! echo "$value" | grep -q "enforce"; then |
|
|
|
|
echo "Expect-CT" | drawInBox |
|
|
|
|
wecho "The enforce directive was not found. It can be useful to omit \ |
|
|
|
|
this whilst testing the header, but should be added once testing has finished.\n\n" |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
test_referer-policy-ct(){ |
|
|
|
|
local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" |
|
|
|
|
if [ -z "$1" ]; then |
|
|
|
|
echo "Referrer-Policy" | drawInBox |
|
|
|
|
wecho "The Referrer-Policy HTTP header controls how much referrer \ |
|
|
|
|
information (sent via the Referer header) should be included with requests.\n\n" |
|
|
|
|
return 2 |
|
|
|
|
elif ! echo "$value" | grep -q "enforce"; then |
|
|
|
|
# TODO: add checks for different referer policy opitons |
|
|
|
|
return 1 |
|
|
|
|
fi |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
usage(){ |
|
|
|
|
echo -n "analyse-headers [OPTIONS]... URL |
|
|
|
|
@ -372,7 +403,8 @@ content-security-policy |
|
|
|
|
x-xss-protection |
|
|
|
|
x-content-type-options |
|
|
|
|
feature-policy |
|
|
|
|
permissions-policy" |
|
|
|
|
permissions-policy |
|
|
|
|
expect-ct" |
|
|
|
|
|
|
|
|
|
tmpfile="$(mktemp)" |
|
|
|
|
touch "$tmpfile" |
|
|
|
|
|
Jonathan Hodgson
4 years ago