new_audit: ensure clickjacking mitigation through XFO or CSP #16290

sebastian9er · 2024-12-18T13:43:06Z

Summary
Adding a new audit to Ligththouse, which detects missing Clickjacking mitigation through the X-Frame-Options or Content-Security-Policy HTTP header.

Part of a larger change to introduce more similar header deployments.

Similar to the HSTS audit (#16257), the description contains a placeholder doc link until the internal doc is approved. @adamraine FYI

…ve self or none, but any value to relax the framing.

…rnal approval).

adamraine

Can you revert your changes to cli/test/smokehouse/frontends/smokehouse-bin.js

core/audits/clickjacking-mitigation.js

adamraine

There are still changes to smokehouse-bin.js, not sure why but can you revert them?

core/audits/clickjacking-mitigation.js

…ated JSON.

…er stuff.

…n9er/lighthouse into lighthouse-clickjacking

sebastian9er · 2025-01-10T17:03:33Z

Thanks for your help, Adam! Should work now.

sebastian9er · 2025-01-14T09:53:37Z

Are any of the errors related to this audit? To me it looks like no, but maybe implicitly?

adamraine · 2025-01-14T21:12:06Z

Are any of the errors related to this audit?

Some of them yes, but it was just some minor audit count / snapshot stuff.

The other failures are unrelated and blocked on #16301

sebastian9er and others added 19 commits November 15, 2024 13:30

Add files to gitignore.

2df023e

Merge remote-tracking branch 'upstream/main'

f95d133

Merge branch 'GoogleChrome:main' into main

e52e1b8

Merge branch 'main' of https://github.com/sebastian9er/lighthouse

3861727

Commit gitignore

8717e3c

Merge branch 'GoogleChrome:main' into main

009af4e

Add first version for the clickjacking mitigation audit for Lighthouse.

069260b

Revert files requested in the PR.

8b123ab

Revert more files.

aac2789

Fix year in the smokehouse-bin.

cd5761f

Fix default config.

6c11434

Update sample json.

de85518

Test commit to Smokehouse-bin.

7f10f7f

Revert smokehouse-bin.

ba82107

Add Smokehouse tests for the Clickjacking Lighthouse audit.

feabb42

Merge branch 'GoogleChrome:main' into lighthouse-clickjacking

6d5b543

Adjust Clickjacking audit to pass even if frame-ancestors does not ha…

9eaca8f

…ve self or none, but any value to relax the framing.

Replace placeholder link with potential chrome dev post (pending inte…

268229b

…rnal approval).

Update sample json.

5d86c36

sebastian9er requested a review from a team as a code owner December 18, 2024 13:43

sebastian9er requested review from connorjclark and removed request for a team December 18, 2024 13:43

vercel bot deployed to Preview December 18, 2024 13:43 View deployment

Remove unnecessary meta element lookups.

1717db0

vercel bot deployed to Preview December 19, 2024 10:09 View deployment

adamraine changed the title ~~new_audit: ensure clickjacking mitigation through xfo or csp~~ new_audit: ensure clickjacking mitigation through XFO or CSP Dec 20, 2024

adamraine reviewed Dec 20, 2024

View reviewed changes

Merge branch 'main' into lighthouse-clickjacking

e00fa47

vercel bot deployed to Preview January 8, 2025 11:02 View deployment

Fix some improvement recommendations discussed in the PR.

003c7b2

Revert smokehouse-bin.

6e8b39b

vercel bot deployed to Preview January 9, 2025 14:44 View deployment

adamraine requested changes Jan 9, 2025

View reviewed changes

adamraine reviewed Jan 9, 2025

View reviewed changes

core/audits/clickjacking-mitigation.js Outdated Show resolved Hide resolved

Remove Directive column from Clickjacking audit. Fix tests and re-cre…

2297534

…ated JSON.

vercel bot deployed to Preview January 10, 2025 09:14 View deployment

smokehouse revert

e0bd178

adamraine approved these changes Jan 10, 2025

View reviewed changes

vercel bot deployed to Preview January 10, 2025 16:21 View deployment

sebastian9er added 2 commits January 10, 2025 17:37

Fix tests to reflect wording changes in audit strings. Also, fix lint…

16bbf1f

…er stuff.

Merge branch 'lighthouse-clickjacking' of https://github.com/sebastia…

4e94793

…n9er/lighthouse into lighthouse-clickjacking

vercel bot deployed to Preview January 10, 2025 16:38 View deployment

Fix smokehouse test.

11336ba

vercel bot deployed to Preview January 10, 2025 16:56 View deployment

tests fix

8779df7

vercel bot deployed to Preview January 14, 2025 20:41 View deployment

sample

57ceae6

vercel bot deployed to Preview January 14, 2025 20:48 View deployment

oops

f64ce1e

vercel bot deployed to Preview January 14, 2025 21:11 View deployment

Merge branch 'main' into lighthouse-clickjacking

b98f5f9

vercel bot deployed to Preview January 14, 2025 23:11 View deployment

update text from docs feedback

42b0afe

vercel bot deployed to Preview January 21, 2025 19:14 View deployment

tests

5a2c5dd

vercel bot deployed to Preview January 21, 2025 19:27 View deployment

adamraine merged commit 466f6c6 into GoogleChrome:main Jan 22, 2025
24 checks passed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

new_audit: ensure clickjacking mitigation through XFO or CSP #16290

new_audit: ensure clickjacking mitigation through XFO or CSP #16290

sebastian9er commented Dec 18, 2024

adamraine left a comment

adamraine left a comment

sebastian9er commented Jan 10, 2025

sebastian9er commented Jan 14, 2025

adamraine commented Jan 14, 2025 •

edited

Loading

new_audit: ensure clickjacking mitigation through XFO or CSP #16290

new_audit: ensure clickjacking mitigation through XFO or CSP #16290

Conversation

sebastian9er commented Dec 18, 2024

adamraine left a comment

Choose a reason for hiding this comment

adamraine left a comment

Choose a reason for hiding this comment

sebastian9er commented Jan 10, 2025

sebastian9er commented Jan 14, 2025

adamraine commented Jan 14, 2025 • edited Loading

adamraine commented Jan 14, 2025 •

edited

Loading