Feature: 1 new insecure check

Cross-Origin-Embedder-Policy: Potentially Unsafe Value
rfc-st · Dec 13, 2024 · edee3f5 · edee3f5
1 parent 0865d1c
commit edee3f5
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -56,7 +56,7 @@
 :heavy_check_mark: 58 [checks](#checks-enabled-headers) for enabled security-related HTTP response headers.<br />
 :heavy_check_mark: 14 [checks](#checks-missing-headers) for missing security-related HTTP response headers (the ones I consider essential).<br />
 :heavy_check_mark: 1186 [checks](#checks-fingerprint-headers) for fingerprinting through HTTP response headers.<br />
-:heavy_check_mark: 126 [checks](#checks-deprecated-headersprotocols-and-insecure-values) for deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
+:heavy_check_mark: 127 [checks](#checks-deprecated-headersprotocols-and-insecure-values) for deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
 :heavy_check_mark: SSL/TLS checks: requires the **amazing** https://testssl.sh/.<br />
 :heavy_check_mark: Browser support references for enabled HTTP security headers: provided by https://caniuse.com/.<br />
 :heavy_check_mark: Two types of analysis: brief and detailed, along with HTTP response headers.<br />

diff --git a/additional/insecure.txt b/additional/insecure.txt
@@ -60,6 +60,7 @@ Content-Type: Non-HTML MIME type
 Content-Type: Unsafe Value
 Critical-CH: Ignored Header via Unsafe Scheme
 Cross-Origin-Embedder-Policy: No Valid Directives
+Cross-Origin-Embedder-Policy: Potentially Unsafe Value
 Cross-Origin-Opener-Policy: No Valid Directives
 Cross-Origin-Resource-Policy: No Valid Directives
 Digest: Deprecated Header

diff --git a/humble.py b/humble.py
@@ -1932,8 +1932,9 @@ def custom_help_formatter(prog):
 t_coep = ('credentialless', 'require-corp', 'unsafe-none')
 
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
+# https://html.spec.whatwg.org/multipage/browsers.html#cross-origin-opener-policies
 t_coop = ('noopener-allow-popups', 'same-origin', 'same-origin-allow-popups',
-          'unsafe-none')
+          'same-origin-plus-COEP', 'unsafe-none')
 
 # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy
 t_corp = ('cross-origin', 'same-origin', 'same-site')
@@ -2222,6 +2223,8 @@ def custom_help_formatter(prog):
     coep_h = headers_l['cross-origin-embedder-policy']
     if not any(elem in coep_h for elem in t_coep):
         print_details('[icoep_h]', '[icoep]', 'd', i_cnt)
+    if 'credentialless' in coep_h:
+        print_details('[icoepu_h]', '[icoepu]', 'd', i_cnt)
 
 if 'cross-origin-opener-policy' in headers_l and '21' not in skip_list:
     coop_h = headers_l['cross-origin-opener-policy']

diff --git a/l10n/details.txt b/l10n/details.txt
@@ -450,6 +450,13 @@
 [icoep_h]
  Cross-Origin-Embedder-Policy (No Valid Directives)
 
+[icoepu_h]
+ Cross-Origin-Embedder-Policy (Potentially Unsafe Value)
+
+[icoepu]
+ Check that 'Opaque response blocking' and 'Private network access' are enabled.
+ Ref: https://html.spec.whatwg.org/multipage/browsers.html#coep-credentialless
+
 [icoep]
  Include at least one valid directive.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

diff --git a/l10n/details_es.txt b/l10n/details_es.txt
@@ -451,6 +451,13 @@
 [icoep_h]
  Cross-Origin-Embedder-Policy (Sin directivas adecuadas)
 
+[icoepu_h]
+ Cross-Origin-Embedder-Policy (Valor potencialmente inseguro)
+
+[icoepu]
+ Revisa que estén habilitados "Private Network Access" y "Opaque Response Blocking".
+ Ref: https://html.spec.whatwg.org/multipage/browsers.html#coep-credentialless
+
 [icoep]
  Incluya, al menos, una directiva correcta.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy