jab2870
/
Dotfiles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Improve handling of CSP

Browse Source 
Although I'd like to re-do the csp handling, this change fixes the
detection of unsafe-inline and unsafe-eval.
Jonathan Hodgson 3 years ago
parent b8f104fd00
commit e94ba0b5b2
1 changed files with 18 additions and 12 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 30
      bin/.bin/webtest/analyse-headers

30
bin/.bin/webtest/analyse-headers
Unescape View File

@ -190,8 +190,9 @@ text-align: center;
test_content-security-policy(){ test_content-security-policy(){
local value local value
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)" value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)"
# TODO: work on content security testing # TODO: work on content security testing
local message=""
if [ -z "$value" ]; then if [ -z "$value" ]; then
echo "Content-Security-Policy" | drawInBox echo "Content-Security-Policy" | drawInBox
@ -201,18 +202,23 @@ given page. With a few exceptions, policies mostly involve specifying server \
origins and script endpoints. This helps guard against cross-site scripting \ origins and script endpoints. This helps guard against cross-site scripting \
attacks (XSS).\n\n" attacks (XSS).\n\n"
return 2 return 2
elif echo "$value" | grep -q 'unsafe-inline'; then else
echo "Content-Security-Policy" | drawInBox if echo "$value" | grep -q 'unsafe-inline'; then
wecho -e "The content security policy includes the \ message+="The content security policy includes the \
${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \ ${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \
This prevents the content security policy from effectively mitigating against This prevents the content security policy from effectively mitigating against
reflected or stored XSS attacks\n\n" reflected or stored XSS attacks\n\n"
elif echo "$value" | grep -q 'unsafe-eval'; then elif echo "$value" | grep -q 'unsafe-eval'; then
message+="The content security policy includes the \
${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \
This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n"
fi
fi
if [ -n "$message" ]; then
echo "Content-Security-Policy" | drawInBox echo "Content-Security-Policy" | drawInBox
wecho -e "The content security policy includes the \ message="$(echo "$message" | tr -d '\t')"
${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \ wecho -e "$message"
This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n"
fi fi
return 0 return 0
} }

Write Preview
Loading…
Cancel
Save