From 50ab29f6acfeca1b6fc0b0d8af002bdb567a7c71 Mon Sep 17 00:00:00 2001
From: Jan Klopper <janklopper+underdark@gmail.com>
Date: Mon, 18 Mar 2024 19:59:21 +0100
Subject: [PATCH 1/2] Update check_csp_header.py

This adds a warning to the CSP validator for 'self' on script-src directives.
---
 octopoes/bits/check_csp_header/check_csp_header.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/octopoes/bits/check_csp_header/check_csp_header.py b/octopoes/bits/check_csp_header/check_csp_header.py
index aafe0466abc..03303a6451c 100644
--- a/octopoes/bits/check_csp_header/check_csp_header.py
+++ b/octopoes/bits/check_csp_header/check_csp_header.py
@@ -30,7 +30,7 @@ def run(input_ooi: HTTPHeader, additional_oois: list, config: dict[str, str]) ->
 
     if "unsafe-inline" in header.value or "unsafe-eval" in header.value or "unsafe-hashes" in header.value:
         findings.append(
-            "unsafe-inline, unsafe-eval and unsafe-hashes should not be used in the CSP settings of an HTTP Header."
+            "unsafe-inline, unsafe-eval and unsafe-hashes should not be used in the CSP settings of a HTTP Header."
         )
 
     if "frame-src" not in header.value and "default-src" not in header.value and "child-src" not in header.value:
@@ -67,6 +67,11 @@ def run(input_ooi: HTTPHeader, additional_oois: list, config: dict[str, str]) ->
                 "'data:' should not be used in the value of default-src, object-src and script-src in the CSP settings."
             )
 
+        if policy[0] == "script-src" and "'self'" in policy:
+            findings.append(
+                "'self' for `script-src` can be problematic if you host JSONP, Angular or user uploaded files."
+            )
+
         if policy[0].endswith("-uri") and (
             "unsafe-eval" in policy[2:]
             or "unsafe-hashes" in policy[2:]

From 869289d123d096d4155727f94a7c64a215999814 Mon Sep 17 00:00:00 2001
From: Jan Klopper <janklopper+underdark@gmail.com>
Date: Wed, 20 Mar 2024 09:07:13 +0100
Subject: [PATCH 2/2] Update octopoes/bits/check_csp_header/check_csp_header.py

Co-authored-by: ammar92 <ammar.abdulamir@gmail.com>
---
 octopoes/bits/check_csp_header/check_csp_header.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/octopoes/bits/check_csp_header/check_csp_header.py b/octopoes/bits/check_csp_header/check_csp_header.py
index 03303a6451c..73edafccc3e 100644
--- a/octopoes/bits/check_csp_header/check_csp_header.py
+++ b/octopoes/bits/check_csp_header/check_csp_header.py
@@ -30,7 +30,7 @@ def run(input_ooi: HTTPHeader, additional_oois: list, config: dict[str, str]) ->
 
     if "unsafe-inline" in header.value or "unsafe-eval" in header.value or "unsafe-hashes" in header.value:
         findings.append(
-            "unsafe-inline, unsafe-eval and unsafe-hashes should not be used in the CSP settings of a HTTP Header."
+            "unsafe-inline, unsafe-eval and unsafe-hashes should not be used in the CSP settings of an HTTP Header."
         )
 
     if "frame-src" not in header.value and "default-src" not in header.value and "child-src" not in header.value: