happyDomain/checker-http
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Deepen CSP, Permissions-Policy and cookie audits

Browse source 
Detect CSP weaknesses individually (unsafe-inline, unsafe-eval, missing
default-src/script-src, permissive sources on script-src or its
default-src fallback) instead of a single catch-all "unsafe" code, and
honour CSP3 fetch-directive fallback via EffectiveSources/WildcardSource
helpers. Validate Permissions-Policy values: warn when a powerful
feature (camera, microphone, geolocation, payment, sensors, …) is
granted to all origins. Add a SameSite aggregate state on cookie audits
so callers get the global ratio alongside per-cookie diagnostics.
This commit is contained in:
nemunaire 2026-04-27 11:50:42 +07:00
commit 603e93355b
8 changed files with 738 additions and 305 deletions
Download patch file Download diff file Expand all files Collapse all files

12
checker/rules_cookies.go
View file

@ -35,6 +35,7 @@ func (r *cookieFlagsRule) Evaluate(ctx context.Context, obs sdk.ObservationGette
var states []sdk.CheckState
totalCookies := 0
samesiteMissing := 0
for _, p := range probes {
for _, c := range p.Cookies {
totalCookies++
@ -47,6 +48,7 @@ func (r *cookieFlagsRule) Evaluate(ctx context.Context, obs sdk.ObservationGette
}
if c.SameSite == "" {
issues = append(issues, "missing SameSite")
samesiteMissing++
} else if strings.EqualFold(c.SameSite, "None") && !c.Secure {
issues = append(issues, "SameSite=None requires Secure")
}
@ -63,6 +65,16 @@ func (r *cookieFlagsRule) Evaluate(ctx context.Context, obs sdk.ObservationGette
if totalCookies == 0 {
return []sdk.CheckState{passState("http.cookie_flags.none", "No cookies were set on the inspected responses.")}
}
if samesiteMissing > 0 {
// Aggregate alongside per-cookie diagnostics so callers see the
// global ratio at a glance — mirrors what Mozilla Observatory
// reports as a single cookies test outcome.
states = append(states, sdk.CheckState{
Status: sdk.StatusWarn,
Code: "http.cookie_flags.samesite_missing",
Message: fmt.Sprintf("%d of %d cookies do not set SameSite.", samesiteMissing, totalCookies),
})
}
if len(states) == 0 {
return []sdk.CheckState{passState("http.cookie_flags.ok", fmt.Sprintf("All %d cookies have proper Secure/HttpOnly/SameSite flags.", totalCookies))}
}