tools: Check for unsafe Content Security Policy

Check for unsafe Content Security Policy in our static code tests. Closes #7391
cockpit-project · Jul 27, 2017 · 8c7d5e5 · 8c7d5e5
1 parent 15021b7
commit 8c7d5e5
Showing 1 changed file with 16 additions and 1 deletion.
diff --git a/tools/test-static-code b/tools/test-static-code
@@ -2,7 +2,7 @@
 # run static code checks like pyflakes and pep8
 set -eu
 
-echo "1..3"
+echo "1..4"
 
 cd "${srcdir:-.}"
 fail=0
@@ -56,4 +56,19 @@ else
     echo "ok 3 js-translatable-strings"
 fi
 
+#
+# Unsafe content-security-policy
+#
+# It's dangerous to have 'unsafe-inline' or 'unsafe-eval' in our
+# content-security-policy entries. This is the browser equivalent
+# of setenforce 0
+#
+
+if grep -E 'content-security-policy.*(\*|unsafe)' pkg/*/*.json*; then
+    echo "not ok 4 unsafe-security-policy"
+    fail=1
+else
+    echo "ok 4 unsafe-security-policy"
+fi
+
 exit $fail