Improve handling of CSP

Although I'd like to re-do the csp handling, this change fixes the
detection of unsafe-inline and unsafe-eval.
Jonathan Hodgson 4 years ago
parent b8f104fd00
commit e94ba0b5b2
  1. 28
      bin/.bin/webtest/analyse-headers

@ -190,8 +190,9 @@ text-align: center;
test_content-security-policy(){ test_content-security-policy(){
local value local value
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)"
# TODO: work on content security testing # TODO: work on content security testing
local message=""
if [ -z "$value" ]; then if [ -z "$value" ]; then
echo "Content-Security-Policy" | drawInBox echo "Content-Security-Policy" | drawInBox
@ -201,18 +202,23 @@ given page. With a few exceptions, policies mostly involve specifying server \
origins and script endpoints. This helps guard against cross-site scripting \ origins and script endpoints. This helps guard against cross-site scripting \
attacks (XSS).\n\n" attacks (XSS).\n\n"
return 2 return 2
elif echo "$value" | grep -q 'unsafe-inline'; then else
echo "Content-Security-Policy" | drawInBox if echo "$value" | grep -q 'unsafe-inline'; then
wecho -e "The content security policy includes the \ message+="The content security policy includes the \
${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \ ${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \
This prevents the content security policy from effectively mitigating against This prevents the content security policy from effectively mitigating against
reflected or stored XSS attacks\n\n" reflected or stored XSS attacks\n\n"
elif echo "$value" | grep -q 'unsafe-eval'; then elif echo "$value" | grep -q 'unsafe-eval'; then
message+="The content security policy includes the \
${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \
This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n"
fi
fi
if [ -n "$message" ]; then
echo "Content-Security-Policy" | drawInBox echo "Content-Security-Policy" | drawInBox
wecho -e "The content security policy includes the \ message="$(echo "$message" | tr -d '\t')"
${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \ wecho -e "$message"
This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n"
fi fi
return 0 return 0
} }

Loading…
Cancel
Save