-
-
Notifications
You must be signed in to change notification settings - Fork 674
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider Adding Feature-Policy Header Verification to ASVS #1755
Comments
We have requirement for that topic.
The question is - should the 8.3.11 more clearly point to Permission-Policy header and is it in correct category (8.3 Sensitive Private Data vs V14.4 HTTP Security Headers) Or in other words - the question - we have requirement for that application by it's logic does not ask for unnecessary permissions, but we maybe should have separate or modified requirement to send the message: in case of "XSS" or some other attack, attacker can not ask those permissions from the victim. |
So at the moment we probably need to cover both headers, like in 14.4.7 we ask to use Additionally we need to keep eye on |
Ok so this raises an interesting question. I see two threat scenarios here:
I think that this is the threat which 8.3.11 is coming to try and address and the reason it got moved to V8. Ultimately it is more of a policy question than a malicious attacker question.
This seems like the reason for the permission policy header. As such, it sounds like we need two separate requirements. What do you think? |
Now thinking more about it, it think it makes sense to have this separate requirement. |
From the original proposal:
I think the requirement message should be: all features and accesses to device sensors must be disallowed or blocked by default and only allowed for those URL's and those sensors which application needs. |
OK so how about:
CWE-266 seems like the closest match. L2 because not everything can be a L1 and it is a defense in depth requirement. I'd also consider L3. Comments, @ImanSharaf @elarlang ? |
See my comment here (#1755 (comment)) - I think for some time we need to ask both headers. As by everything is allowed by default, current wording gives feeling that "you need to allow them only when you use them". In practice - you always need to block everything. As it is not tiny change, I don't try to create new wording myself :) I don't think CWE-266 "Incorrect Privilege Assignment" is suitable - the application do not assign any privileges, it just do not block potential malicious privilege assignment by default. By title it is possible to find matching CWE's, but if to read descriptions as well, then those seems to be all file-permissions specific. |
Ok so I did some more reading on this and I have identified a few problems.
I am tagging @kevinkiklee to see if he has any other insights on it. (Hi @kevinkiklee, we were thinking of adding the Feature-Policy/Permissions-Policy headers as a requirement to ASVS but as discussed in this comment I don't think we can can at this stage) Otherwise, at this point I would recommend that we tag this as something to revisit when we reach the ASVS 5.0 "Draft" stage. IF at this stage, the situation has improved then maybe we can add it simply. If not, I think we skip it. |
I agree the maturity is questionable and to declare it's permission separately is nightmare - so maybe we set precondition here that if it is actually doable (without causing extra kilobytes to the traffic) and browers support it: w3c/webappsec-permissions-policy#189 edit: ... or we try to develop level 3 requirement and we make it level 2 when it matches the previous lines. |
@ImanSharaf any further thoughts? |
I believe this works. |
Following up here, it seems like this issue is closed for V14 and that it does not need to be currently considered for the current draft that we are working on as it is lacking maturity. Is that accurate @tghosth? |
I answer myself - there are no big changes, so we leave it out at the moment. I updated the category to V50. V14 it was previously and it is outdated information. |
I've noticed that the current version of ASVS does not have an item covering the implementation of the Feature-Policy header (also known as Permissions-Policy in its latest iteration). This header provides a method to control which browser features and APIs can be invoked, thereby playing a crucial role in minimizing the potential for abuse by malicious actors.
Proposed ASVS Item:
"Verify that a Feature-Policy (or Permissions-Policy) header is implemented to specify which browser features can be used by the application, minimizing the potential for abuse."
The text was updated successfully, but these errors were encountered: