From 7a7ffc608d3a2260d9e1326296c6ca5d08fe6d91 Mon Sep 17 00:00:00 2001 From: Jonathan Hodgson Date: Thu, 3 Dec 2020 11:19:35 +0000 Subject: [PATCH] BIN: analyse-headers: add expect-ct and start referrer-policy --- bin/.bin/webtest/analyse-headers | 40 ++++++++++++++++++++++++++++---- 1 file changed, 36 insertions(+), 4 deletions(-) diff --git a/bin/.bin/webtest/analyse-headers b/bin/.bin/webtest/analyse-headers index 97ff84e7..615de21e 100755 --- a/bin/.bin/webtest/analyse-headers +++ b/bin/.bin/webtest/analyse-headers @@ -276,7 +276,7 @@ test_permissions-policy(){ wecho "The Permission-Policy header replaces the Feature-Policy and is \ used to allow or disallow certain browser features or apis in the interest of \ security.\n\n" - return 3 + return 2 fi local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" } @@ -287,7 +287,7 @@ test_feature-policy(){ wecho "The Feature-Policy header was used to allow or disallow certian \ browser features or apis. It has been superceded by the permissions-policy header but should still be included for legacy browsers.\n\n" - return 3 + return 2 fi if ! echo "$headers" | grep -Eqi '^permissions-policy'; then echo "Feature-Policy" | drawInBox @@ -295,11 +295,42 @@ header but should still be included for legacy browsers.\n\n" browser features or apis. It has been superceded by the permissions-policy header but should still be included for legacy browsers. It has been highlighted because the Permissions-policy header wasn't found.\n\n" - return 3 + return 2 fi local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" } +test_expect-ct(){ + local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" + if [ -z "$1" ]; then + echo "Expect-CT" | drawInBox + wecho "When a site enables the Expect-CT header, they are requesting \ +that the browser check that any certificate for that site appears in public \ +CT logs. +Initially, set the header without the enforce option but with report in order \ +to check for potential breakages\n\n" + return 2 + elif ! echo "$value" | grep -q "enforce"; then + echo "Expect-CT" | drawInBox + wecho "The enforce directive was not found. It can be useful to omit \ +this whilst testing the header, but should be added once testing has finished.\n\n" + return 1 + fi +} + +test_referer-policy-ct(){ + local value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)" + if [ -z "$1" ]; then + echo "Referrer-Policy" | drawInBox + wecho "The Referrer-Policy HTTP header controls how much referrer \ +information (sent via the Referer header) should be included with requests.\n\n" + return 2 + elif ! echo "$value" | grep -q "enforce"; then + # TODO: add checks for different referer policy opitons + return 1 + fi +} + usage(){ echo -n "analyse-headers [OPTIONS]... URL @@ -372,7 +403,8 @@ content-security-policy x-xss-protection x-content-type-options feature-policy -permissions-policy" +permissions-policy +expect-ct" tmpfile="$(mktemp)" touch "$tmpfile"