Project

General

Profile

Actions
Copy link

Bug #7575

closed

Missing or Permissive Content-Security-Policy frame-ancestors HTTP Response Header

Added by Pavel Kácha about 2 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Rajmund Hruška
Category:
Development - GUI
Target version:
2.10
Start date:
03/23/2022
Due date:
% Done:

100%

Estimated time:
To be discussed:
No

Description

Nessus

Synopsis

The remote web server does not take steps to mitigate a class of web application vulnerabilities.

Description

The remote web server in some responses sets a permissive Content-Security-Policy (CSP) frame-ancestors response header or does not set one at all.

The CSP frame-ancestors header has been proposed by the W3C Web Application Security Working Group as a way to mitigate cross-site scripting and clickjacking attacks.

Links and related

https://www.tenable.com/plugins/nessus/50344
https://content-security-policy.com/
https://www.w3.org/TR/CSP2/
http://www.nessus.org/u?07cc2a06
http://www.nessus.org/u?55aa8f57

Actions
Copy link

Also available in: Atom PDF