new_audit: ensure clickjacking mitigation through XFO or CSP #16290
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ve self or none, but any value to relax the framing.
sebastian9er
requested review from
connorjclark
and removed request for
a team
adamraine
changed the title
adamraine
reviewed
Dec 20, 2024
| /** Title of a Lighthouse audit that evaluates whether the set CSP or XFO header is mitigating Clickjacking attacks. "XFO" stands for "X-Frame-Options". "CSP" stands for "Content-Security-Policy". */ | ||
| title: 'Ensure Clickjacking mitigation through XFO or CSP.', | ||
| /** Description of a Lighthouse audit that evaluates whether the set CSP or XFO header is mitigating Clickjacking attacks. This is displayed after a user expands the section to see more. No character length limits. The last sentence starting with 'Learn' becomes link text to additional documentation. "XFO" stands for "X-Frame-Options". "CSP" stands for "Content-Security-Policy". */ | ||
| description: 'Deployment of either the X-Frame-Options or Content-Security-Policy (with the frame-ancestors directive) header will prevent Clickjacking attacks. While the XFO header is simpler to deploy, the CSP header is more flexible. [Learn more about mitigating Clickjacking with XFO and CSP](https://developer.chrome.com/docs/lighthouse/best-practices/clickjacking-mitigation).', |
There was a problem hiding this comment.
Suggested change
| description: 'Deployment of either the X-Frame-Options or Content-Security-Policy (with the frame-ancestors directive) header will prevent Clickjacking attacks. While the XFO header is simpler to deploy, the CSP header is more flexible. [Learn more about mitigating Clickjacking with XFO and CSP](https://developer.chrome.com/docs/lighthouse/best-practices/clickjacking-mitigation).', | |
| description: 'The `X-Frame-Options` (XFO) header or the `frame-ancestors` directive in the `Content-Security-Policy` (CSP) header can be used to mitigate clickjacking attacks. While the XFO header is simpler to deploy, the `frame-ancestors` CSP directive is more flexible. [Learn more about mitigating clickjacking](https://developer.chrome.com/docs/lighthouse/best-practices/clickjacking-mitigation).', |
Also what makes the XFO simpler to deploy? Seems like they have the same level of complexity to deploy (just modify header values).
There was a problem hiding this comment.
XFO offers just SAMEORIGIN and DENY, without any granularity and in the past it was easier to deploy (less compatibility concerns), given more browser support than CSP (nowadays, CSP is supported by all major browsers, so maybe "deployment" isn't the correct wording). That being said, for pure clickjacking mitigation, it makes sense to use XFO and only use CSP if more flexibility is needed (CSP should be primarily used for XSS mitigation and mixing it up might confuse some folks).
adamraine
requested changes
Jan 9, 2025
adamraine
reviewed
Jan 9, 2025
| const headings = [ | ||
| /* eslint-disable max-len */ | ||
| {key: 'description', valueType: 'text', subItemsHeading: {key: 'description'}, label: str_(i18n.UIStrings.columnDescription)}, | ||
| {key: 'directive', valueType: 'code', subItemsHeading: {key: 'directive'}, label: str_(UIStrings.columnDirective)}, |
There was a problem hiding this comment.
This directive column will never have any value, I think we can just remove it.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Adding a new audit to Ligththouse, which detects missing Clickjacking mitigation through the X-Frame-Options or Content-Security-Policy HTTP header.
Part of a larger change to introduce more similar header deployments.
Similar to the HSTS audit (#16257), the description contains a placeholder doc link until the internal doc is approved. @adamraine FYI