PCI Scripts Inspector

📋 Overview

This page demonstrates all possible script variants for PCI DSS inventory testing, including:

Inline Scripts - Embedded directly in HTML
External Scripts - Loaded from external sources
Security Headers - Various CSP and security configurations
Script Attributes - Different attribute combinations
Integration Types - Various ways scripts are integrated

📝 Inline Scripts

Inline Script #1 - Basic Analytics

Integration Type: inline
Purpose: Basic page analytics tracking
Security: No integrity hash

Inline Script #2 - Payment Form Validation

Integration Type: inline
Purpose: Payment form validation logic
Security: No integrity hash

Inline Script #3 - Security Token Generation

Integration Type: inline
Purpose: CSRF token generation
Security: No integrity hash

🔗 External Scripts

External Script #1 - Stripe.js (with integrity)

Integration Type: external
Source: https://js.stripe.com/v3/
Purpose: Payment processing
Security: Has integrity hash

External Script #2 - Google Analytics (no integrity)

Integration Type: external
Source: https://www.googletagmanager.com/gtag/js
Purpose: Analytics tracking
Security: No integrity hash

External Script #3 - Custom Widget (with attributes)

Integration Type: external
Source: https://cdn.example.com/widget.js
Purpose: Custom payment widget
Security: Has integrity hash and attributes

External Script #4 - jQuery (legacy, no security)

Integration Type: external
Source: https://code.jquery.com/jquery-3.6.0.min.js
Purpose: DOM manipulation library
Security: No integrity hash, no crossorigin

⚡ Dynamic Script Loading

Dynamic Script #1 - Conditional Loading

Integration Type: external (dynamic)
Purpose: Load scripts based on user preferences
Security: No integrity hash

Dynamic Script #2 - Feature Detection

Integration Type: external (dynamic)
Purpose: Load polyfills when needed
Security: No integrity hash

🛡️ Security Headers & CSP

Content Security Policy

Current Policy: Restrictive CSP with script-src limitations

default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.example.com https://js.stripe.com; style-src 'self' 'unsafe-inline';

X-Frame-Options

Value: DENY

Prevents clickjacking attacks

X-Content-Type-Options

Value: nosniff

Prevents MIME type sniffing

Referrer Policy

Value: strict-origin-when-cross-origin

Controls referrer information

🏷️ Script Attributes

Security Attributes

integrity - SRI hash verification
crossorigin - CORS handling
referrerpolicy - Referrer control

Loading Attributes

async - Asynchronous loading
defer - Deferred execution
type - Script type specification

Custom Attributes

data-* - Custom data attributes
id - Element identification
class - CSS class assignment

📊 PCI DSS Compliance Status

Script Inventory

Total Scripts: 21

Main Page Scripts: 15

Iframe Scripts: 6

Inline Scripts: 5 (3 main + 2 iframe)

External Scripts: 16 (12 main + 4 iframe)

With Integrity: 4 (3 main + 1 iframe)

Without Integrity: 17 (12 main + 5 iframe)

Security Status

OK Content Security Policy

OK X-Frame-Options

OK X-Content-Type-Options

CHANGED Some scripts modified

Review Required

NEW 2 new scripts detected

CHANGED 1 script modified

MISSED 1 authorized script missing

🖼️ Iframe with Embedded Scripts

Iframe Content - Nested Scripts

Integration Type: iframe with inline and external scripts
Purpose: Demonstrate nested script detection
Security: Mixed security levels within iframe

Iframe Script Contents (Base64 Decoded):

Inline Script #1: Console log on iframe load
External Script #1: https://cdn.example.com/iframe-script.js
Inline Script #2: Function to update iframe content
External Script #2: jQuery 3.6.0 from CDN
Module Script: Vue.js ES6 module import
Dynamic Script: Dynamically loaded script with integrity

Iframe Security Features:

Sandbox: allow-scripts allow-same-origin
Loading: lazy loading for performance
Title: Descriptive title for accessibility
Styling: Visual border and rounded corners

🌐 Iframe

External Website Iframe

Integration Type: cross-origin iframe
Purpose: Test external website script detection
Security: Cross-origin restrictions apply
Content: Live test-deep-link-app website

Cross-Origin Iframe Features:

Source: https://dtelega.github.io/
Referrer Policy: no-referrer
Loading: lazy loading for performance
Styling: Red border to distinguish from embedded iframe
Purpose: Test how inspector handles external website content

Expected Behavior:

Cross-Origin Restrictions: Same-origin policy will limit access
Script Detection: May not be able to inspect internal scripts
Security: Demonstrates real-world iframe limitations
Testing: Shows inspector's behavior with external content
Content: Test Deep Link App with "Simulate Error" and "Simulate Success" buttons

🧪 Testing Instructions

For PCI Scripts Inspector Testing:

Scan this page using the PCI Scripts Inspector service
Verify script detection - should find all 21 scripts (15 + 6 iframe)
Check integration types - inline vs external vs iframe
Validate security headers - CSP, X-Frame-Options, etc.
Test integrity hashes - some scripts have SRI, others don't
Verify attributes - crossorigin, async, defer, etc.
Check dynamic loading - scripts loaded via JavaScript
Test iframe handling - nested script detection within iframes

Expected Results:

InspectionJob Status: Should complete successfully
Script Count: 21 total scripts detected (15 main + 6 iframe)
Security Headers: All major security headers present
Report Generation: Should create detailed report with script analysis
Iframe Detection: Should detect scripts within iframe content

🔒 PCI Scripts Inspector