BIN: analyse-headers: note on x-frame-options if frame-ancestors present

If the frame-ancestors content security policy is present, the
x-frame-options warning mentions that the content security helps
mitigate against clickjacking although for greater browser support,
x-frame-options should also be used

Thanks <Dom Ingram> for the suggestion
Jonathan Hodgson 4 years ago
parent 1b42f81f47
commit 6ac052cd39
  1. 16
      bin/.bin/webtest/analyse-headers

@ -117,10 +117,10 @@ test_x-frame-options(){
"SAMEORIGIN"|"DENY") return 0 ;; "SAMEORIGIN"|"DENY") return 0 ;;
"ALLOW-FROM"*) "ALLOW-FROM"*)
echo "X-Frame-Opitons" | drawInBox echo "X-Frame-Opitons" | drawInBox
wecho "The ALLOW-FROM derivative is obsolete and no longer works \ wecho -e "The ALLOW-FROM derivative is obsolete and no longer works \
in modern browsers." in modern browsers.\n\n"
wecho "The Content-Security-Policy HTTP header has a \ wecho -e "The Content-Security-Policy HTTP header has a \
frame-ancestors directive which you can use instead." frame-ancestors directive which you can use instead.\n\n"
return 1 return 1
;; ;;
*) *)
@ -131,6 +131,14 @@ indicate whether or not a browser should be allowed to render a page in a \
click-jacking attacks, by ensuring that their content is not embedded into \ click-jacking attacks, by ensuring that their content is not embedded into \
other sites." other sites."
if echo "$headers" |
grep -Eqi '^content-security-policy:.*frame-ancestors.*'; then
wecho "It looks like the content security policy contains the \
frame ancestors directive. This also mitigates against the clickjacking \
although browser support isn't as strong meaning you should still include the \
x-frame-options header"
fi
source=" source="
<!DOCTYPE html> <!DOCTYPE html>
<html> <html>

Loading…
Cancel
Save