new_audit: ensure clickjacking mitigation through XFO or CSP #16290
+985
−245
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ve self or none, but any value to relax the framing.
sebastian9er
requested review from
connorjclark
and removed request for
a team
adamraine
changed the title
adamraine
reviewed
Dec 20, 2024
adamraine
requested changes
Jan 9, 2025
adamraine
reviewed
Jan 9, 2025
| const headings = [ | ||
| /* eslint-disable max-len */ | ||
| {key: 'description', valueType: 'text', subItemsHeading: {key: 'description'}, label: str_(i18n.UIStrings.columnDescription)}, | ||
| {key: 'directive', valueType: 'code', subItemsHeading: {key: 'directive'}, label: str_(UIStrings.columnDirective)}, |
There was a problem hiding this comment.
This directive column will never have any value, I think we can just remove it.
There was a problem hiding this comment.
Removed the column and pushed a new CL.
For the smokehouse-bin, I modified it (timestamp) and pushed the original version afterwards, but it seems to be empty in the PR.
In my branch it's correctly present: https://github.com/sebastian9er/lighthouse/blob/lighthouse-clickjacking/cli/test/smokehouse/frontends/smokehouse-bin.js
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adding a new audit to Ligththouse, which detects missing Clickjacking mitigation through the X-Frame-Options or Content-Security-Policy HTTP header.
Part of a larger change to introduce more similar header deployments.
Similar to the HSTS audit (#16257), the description contains a placeholder doc link until the internal doc is approved. @adamraine FYI