BIN: analyse-headers: Checks the access-control-allow-origin header
Another suggestion by <Dom Ingram>. For more details on the null issue, read here: https://w3c.github.io/webappsec-cors-for-developers/#avoid-returning-access-control-allow-origin-null
This commit is contained in:
parent
f669880037
commit
b49d000408
1 changed files with 26 additions and 0 deletions
|
@ -361,6 +361,32 @@ information (sent via the Referer header) should be included with requests.\n\n"
|
|||
fi
|
||||
}
|
||||
|
||||
test_access-control-allow-origin(){
|
||||
local value
|
||||
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)"
|
||||
if [ "$value" = "*" ]; then
|
||||
echo "Access-Control-Allow-Origin" | drawInBox
|
||||
wecho "The Access-Control-Allow-Origin header indicates whether the \
|
||||
response can be shared with requesting code from the given origin
|
||||
The value was found to be * meaning any origin. This is not normally desirable.
|
||||
\n"
|
||||
return 1
|
||||
elif echo "$value" | grep -q "null"; then
|
||||
echo "Access-Control-Allow-Origin" | drawInBox
|
||||
wecho "The Access-Control-Allow-Origin header indicates whether the \
|
||||
response can be shared with requesting code from the given origin
|
||||
The value was found to be null. the serialization of the Origin of any \
|
||||
resource that uses a non-hierarchical scheme (such as data: or file: ) and \
|
||||
sandboxed documents is defined to be \"null\". Many User Agents will grant \
|
||||
such documents access to a response with an Access-Control-Allow-Origin: \
|
||||
\"null\" header, and any origin can create a hostile document with a \"null\" \
|
||||
Origin. The \"null\" value for the ACAO header should therefore be avoided.\n\n"
|
||||
return 1
|
||||
|
||||
fi
|
||||
return 0
|
||||
}
|
||||
|
||||
|
||||
usage(){
|
||||
echo -n "analyse-headers [OPTIONS]... URL
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue