From f9be929eb9a2ca55bb51695dc9477032fc03fde5 Mon Sep 17 00:00:00 2001 From: ansuz Date: Fri, 21 Jan 2022 15:50:40 +0530 Subject: [PATCH] check for unnecessarily permissive CSP --- www/checkup/main.js | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/www/checkup/main.js b/www/checkup/main.js index d710747d7..f490014c1 100644 --- a/www/checkup/main.js +++ b/www/checkup/main.js @@ -859,6 +859,43 @@ define([ }); }); + assert(function (cb, msg) { + var directives = [ + 'img-src', + 'media-src', + 'child-src', + 'frame-src' + ]; + + msg.appendChild(h('span', [ + "This instance's ", + code("Content-Security-Policy"), + " headers are unnecessarily permissive.", + h('br'), + h('br'), + " Review the recommended settings for ", + code('img-src'), ', ', + code('media-src'), ', ', + code('child-src'), ', and ', + code('frame-src'), + " in the provided NGINX configuration file for an example of how to set these headers correctly.", + ])); + $.ajax(cacheBuster('/'), { + dataType: 'text', + complete: function (xhr) { + var CSP = parseCSP(xhr.getResponseHeader('content-security-policy')); + // check that the relevant CSP directives are defined + // and that none of them permit general remote content via '*' + if (directives.every(function (k) { + return typeof(CSP[k]) === 'string' && !/ \* /.test(CSP[k]); + })) { + return void cb(true); + } + cb(CSP); + }, + }); + }); + /* assert(function (cb, msg) { setWarningClass(msg);