Improve handling of CSP

Although I'd like to re-do the csp handling, this change fixes the
detection of unsafe-inline and unsafe-eval.
Jonathan Hodgson 4 years ago
parent b8f104fd00
commit e94ba0b5b2
  1. 18
      bin/.bin/webtest/analyse-headers

@ -190,8 +190,9 @@ text-align: center;
test_content-security-policy(){
local value
value="$(echo "$1" | cut -d ':' -f 2 | trimWhitespace)"
value="$(echo "$1" | cut -d ':' -f 2- | trimWhitespace)"
# TODO: work on content security testing
local message=""
if [ -z "$value" ]; then
echo "Content-Security-Policy" | drawInBox
@ -201,19 +202,24 @@ given page. With a few exceptions, policies mostly involve specifying server \
origins and script endpoints. This helps guard against cross-site scripting \
attacks (XSS).\n\n"
return 2
elif echo "$value" | grep -q 'unsafe-inline'; then
echo "Content-Security-Policy" | drawInBox
wecho -e "The content security policy includes the \
else
if echo "$value" | grep -q 'unsafe-inline'; then
message+="The content security policy includes the \
${ORANGE}unsafe-inline${NC} property which allows for inline JS/CSS assets. \
This prevents the content security policy from effectively mitigating against
reflected or stored XSS attacks\n\n"
elif echo "$value" | grep -q 'unsafe-eval'; then
echo "Content-Security-Policy" | drawInBox
wecho -e "The content security policy includes the \
message+="The content security policy includes the \
${ORANGE}unsafe-eval${NC} property which allows for eval to be used in JS. \
This prevents the content security policy from effectively mitigating against
DOM based XSS attacks\n\n"
fi
fi
if [ -n "$message" ]; then
echo "Content-Security-Policy" | drawInBox
message="$(echo "$message" | tr -d '\t')"
wecho -e "$message"
fi
return 0
}

Loading…
Cancel
Save