Project

General

Profile

Actions

Bug #7575

closed

Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header

Added by Pavel Kácha about 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Category:
Development - GUI
Target version:
Start date:
03/23/2022
Due date:
% Done:

100%

Estimated time:
To be discussed:
No

Description

Nessus

Synopsis

The remote web server does not take steps to mitigate a class of web application vulnerabilities.

Description

The remote web server in some responses sets a permissive Content-Security-Policy (CSP) frame-ancestors response header or does not set one at all.

The CSP frame-ancestors header has been proposed by the W3C Web Application Security Working Group as a way to mitigate cross-site scripting and clickjacking attacks.

Links and related

https://www.tenable.com/plugins/nessus/50344
https://content-security-policy.com/
https://www.w3.org/TR/CSP2/
http://www.nessus.org/u?07cc2a06
http://www.nessus.org/u?55aa8f57

Actions #1

Updated by Pavel Kácha about 2 years ago

FLAB Pentest 2022-03 no. 42

Actions #2

Updated by Rajmund Hruška over 1 year ago

  • Status changed from New to Closed
  • Assignee set to Rajmund Hruška
  • % Done changed from 0 to 100

We were using X-Frame-Options: DENY which is said to be roughly equivalent. But it is also said that the frame-ancestors directive obsoletes the X-Frame-Options header. So I replaced the X-Frame-Options header with frame-ancestors directive.

Actions

Also available in: Atom PDF