From 0dcd7693b7dfa47775f8f7d45101249202e3ff60 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 25 Jun 2024 11:55:50 -0400 Subject: [PATCH 1/4] workflows: remove release workflow Signed-off-by: William Woodruff --- .github/workflows/release.yml | 23 ----------------------- 1 file changed, 23 deletions(-) delete mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml deleted file mode 100644 index 9fa5006..0000000 --- a/.github/workflows/release.yml +++ /dev/null @@ -1,23 +0,0 @@ -on: - push: - tags: - - 'v*' - -name: release - -jobs: - release: - name: publish release on github - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: create release - id: create_release - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - with: - tag_name: ${{ github.ref }} - release_name: Release ${{ github.ref }} - draft: false - prerelease: ${{ contains(github.ref, 'pre') || contains(github.ref, 'rc') }} From 73f9cb5b2a85485d42c8059109cd4a3c53579212 Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 25 Jun 2024 14:25:10 -0400 Subject: [PATCH 2/4] docs-deploy: refactor Signed-off-by: William Woodruff --- .github/workflows/docs-deploy.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index c1ee0b3..ead0bbc 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -7,9 +7,12 @@ on: jobs: docs: + permissions: + pages: write # to deploy to Pages + id-token: write # to verify the deployment originates from an appropriate source runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: deps run: | @@ -21,10 +24,11 @@ jobs: mkdir public roffit < twa.1 > public/index.html - - name: deploy - uses: peaceiris/actions-gh-pages@v3.5.6 + - name: upload docs artifact + uses: actions/upload-pages-artifact@v3 with: - personal_token: ${{ secrets.GITHUB_TOKEN }} - publish_dir: ./public - publish_branch: gh-pages - force_orphan: true + path: ./public/ + + - name: Deploy to GitHub Pages + id: deployment + uses: actions/deploy-pages@v4 From 1526f2a3084d279310613dfc48643b92b50b28bc Mon Sep 17 00:00:00 2001 From: William Woodruff Date: Tue, 25 Jun 2024 14:26:09 -0400 Subject: [PATCH 3/4] docs-deploy: add an environment Signed-off-by: William Woodruff --- .github/workflows/docs-deploy.yml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/docs-deploy.yml b/.github/workflows/docs-deploy.yml index ead0bbc..fd94ae2 100644 --- a/.github/workflows/docs-deploy.yml +++ b/.github/workflows/docs-deploy.yml @@ -10,6 +10,11 @@ jobs: permissions: pages: write # to deploy to Pages id-token: write # to verify the deployment originates from an appropriate source + + environment: + name: github-pages + url: ${{ steps.deployment.outputs.page_url }} + runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 From 15ce8fa7cc4316fe32ebd1ac94be7ee47423bc86 Mon Sep 17 00:00:00 2001 From: Jonathan de Salle Date: Wed, 22 Jan 2025 16:40:42 +0100 Subject: [PATCH 4/4] added verification for Permission-Policy + give me if Feature-Policy is still used (#93) --- twa | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/twa b/twa index 66f42ba..430b595 100755 --- a/twa +++ b/twa @@ -4,7 +4,7 @@ shopt -s nocasematch -TWA_VERSION="1.11.0" +TWA_VERSION="1.11.1" TWA_TIMEOUT="${TWA_TIMEOUT:-5}" TWA_USER_AGENT="${TWA_USER_AGENT:-Mozilla/5.0}" @@ -39,7 +39,7 @@ declare -A TWA_CODES=( [TWA-0217]="Content-Security-Policy has one or more 'unsafe-inline' policies" [TWA-0218]="Content-Security-Policy has one or more 'unsafe-eval' policies" [TWA-0219]="Content-Security-Policy missing" - [TWA-0220]="Feature-Policy missing" + [TWA-0220]="Permissions-Policy missing" [TWA-0221]="Expect-CT missing 'enforce' directive" [TWA-0222]="Expect-CT missing 'report-uri' directive" [TWA-0223]="Expect-CT requires missing 'max-age' directive" @@ -50,7 +50,7 @@ declare -A TWA_CODES=( [TWA-0228]="'Access-Control-Allow-Credentials' header is not configured properly." [TWA-0229]="'Cross-Origin-Embedder-Policy' allows cross-origin resources to be fetched without giving explicit permission." [TWA-0230]="'Cross-Origin-Opener-Policy' allows the document to be added to its opener's browsing context group." - + [TWA-0231]="Feature-Policy has been deprecated in favor of Permissions-Policy." # Stage 3 [TWA-0301]="Site sends 'Server' with what looks like a version tag: \${server}" [TWA-0302]="Site sends a long 'Server', probably disclosing version info: \${server}" @@ -454,9 +454,15 @@ function stage_2_security_headers { fp=$(get_header "Feature-Policy" <<< "${headers}") if [[ -n "${fp}" ]]; then - SKIP "Feature-Policy checks not implemented yet" + MEH TWA-0231 + fi + + fp=$(get_header "Permissions-Policy" <<< "${headers}") + + if [[ -n "${fp}" ]]; then + SKIP "Permissions-Policy checks not implemented yet" else - FAIL TWA-0220 + MEH TWA-0220 fi