Feature: New insecure check

(Supports-Loading-Mode: No Valid Directives)
rfc-st · Nov 10, 2023 · 9254872 · 9254872
1 parent 381a0f6
commit 9254872
Show file tree

Hide file tree

Showing 5 changed files with 24 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -43,7 +43,7 @@ HTTP Headers Analyzer<br />
 
 :heavy_check_mark: 14 [checks](#checks-missing-headers) of missing HTTP response headers.<br />
 :heavy_check_mark: 997 [checks](#checks-fingerprint-headers) of fingerprinting through HTTP response headers.<br />
-:heavy_check_mark: 85 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
+:heavy_check_mark: 86 [checks](#checks-deprecated-headersprotocols-and-insecure-values) of deprecated HTTP response headers/protocols or with insecure/wrong values.<br />
 :heavy_check_mark: Browser compatibility check for enabled security headers.<br />
 :heavy_check_mark: Two types of analysis: brief and detailed, along with HTTP response headers.<br />
 :heavy_check_mark: Export of analysis to HTML5, JSON, PDF 1.4 and TXT.<br />

diff --git a/additional/insecure.txt b/additional/insecure.txt
@@ -56,6 +56,7 @@ Strict-Dynamic: Incorrect Header
 Strict-Transport-Security: Duplicated Values
 Strict-Transport-Security: Ignored Header via Unsafe Scheme
 Strict-Transport-Security: Recommended Values
+Supports-Loading-Mode: No Valid Directives
 Timing-Allow-Origin: Potentially Unsafe Header
 Tk: Deprecated Header
 Trailer: Disallowed Directives

diff --git a/humble.py b/humble.py
@@ -1211,6 +1211,9 @@ def custom_help_formatter(prog):
             'noindex', 'none', 'nopagereadaloud', 'nositelinkssearchbox',
             'nosnippet', 'notranslate', 'noydir', 'unavailable_after']
 
+# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode
+l_support_mode = ['credentialed-prerender']
+
 if 'Accept-CH' in headers:
     acceptch_header = headers['Accept-CH'].lower()
     if URL.startswith(INS_S):
@@ -1435,6 +1438,11 @@ def custom_help_formatter(prog):
     if ',' in sts_header:
         print_details('[istsd_h]', '[istsd]', 'd', i_cnt)
 
+if 'Supports-Loading-Mode' in headers:
+    support_mode_h = headers['Supports-Loading-Mode'].lower()
+    if not any(elem in support_mode_h for elem in l_support_mode):
+        print_details('[islmode_h]', '[islmode]', 'd', i_cnt)
+
 if (sts_header) and (URL.startswith(INS_S)):
     print_details('[ihsts_h]', '[ihsts]', 'd', i_cnt)
 

diff --git a/i10n/details.txt b/i10n/details.txt
@@ -488,6 +488,9 @@
 [ictrf_h]
  Transfer-Encoding (No Valid Directives)
 
+[islmode_h]
+ Supports-Loading-Mode (No Valid Directives)
+
 [ihbas_h]
  WWW-Authenticate (Unsafe Value)
 
@@ -848,6 +851,10 @@ HTTP Response Headers
  This header, or its values, may be duplicated.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 
+[islmode]
+ Include at least one valid directive.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode
+
 [ihsts]
  This header is ignored by the browser when accessing via HTTP.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security

diff --git a/i10n/details_es.txt b/i10n/details_es.txt
@@ -488,6 +488,9 @@
 [ictrf_h]
  Transfer-Encoding (Sin directivas adecuadas)
 
+[islmode_h]
+ Supports-Loading-Mode (Sin directivas adecuadas)
+
 [ihbas_h]
  WWW-Authenticate (Valor inseguro)
 
@@ -848,6 +851,10 @@ Cabeceras de respuesta HTTP
  Esta cabecera, o sus valores, pueden estar duplicados.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
 
+[islmode]
+ Incluya, al menos, una directiva correcta.
+ Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode
+
 [ihsts]
  Al acceder mediante HTTP los navegadores ignoran esta cabecera.
  Ref: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security