Open impca opened 5 years ago
Hi @impca aha I guess then we only check the headers. Any change you have time to do a PR to fix it? I can try to guide you?
Best Peter
Hi @soulgalore ,
I would like to add that HTML <meta>
tags can be used to supply many more HTTP response headers. Some do not even use the http-equiv
attribute:
<meta name="referrer" content="origin">
(this is a correct way to supply a referrer policy; also probably not detected by the Coach)
Cool @ondras let me know if you have time to do a PR to fix that where it's applicable!
Using latest docker image of Sitespeed (sitespeedio/sitespeed.io:latest), Coach attempts to detect CSP headers (https://github.com/sitespeedio/coach/pull/315), but CSP declarations in the html source are ignored.
How to check? Create a page with CSP specified in a meta tag ( https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy#Examples ):
Then run Sitespeed and you'll still get the advice: Use a good Content-Security-Policy header to make sure you you avoid Cross Site Scripting (XSS) attacks. (contentSecurityPolicyHeader)