Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Landing page scanner validation of cache control headers is broken #524

Closed
eloquence opened this issue Jul 31, 2018 · 0 comments
Closed

Landing page scanner validation of cache control headers is broken #524

eloquence opened this issue Jul 31, 2018 · 0 comments
Assignees
@chigby
Labels
bug landing page scanner

Comments

@eloquence
Copy link
Member

The landing page scanner validates several cache control header values, see https://github.com/freedomofpress/securedrop.org/blob/master/scanner/scanner.py#L309

However, the detailed values are not correctly validated; methods like validate_nocache will return False in most real-world cases. I suspect this is due to a naive validation of the header:

def validate_security_header(page, header, expected_value):
    if header not in page.headers:
        return False
    elif page.headers[header] == expected_value:
        return True
    else:
        return False

Note that the naive comparison expects a direct match of header to value, whereas the actual expected value is max-age=0, no-cache, no-store, must-revalidate. All of the detail checks therefore fail when the header is set to the recommended value.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@chigby chigby

Labels
bug landing page scanner
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eloquence @chigby