V8.2.2 "Flash cookies" #796
Comments
|
This is great, I say push it live right away.
- Jim
On 5/29/20 8:23 PM, Elar Lang wrote:
V8.2.2
<https://github.com/OWASP/ASVS/blob/master/4.0/en/0x16-V8-Data-Protection.md#v82-client-side-data-protection>
Current:
V8.2.2 Verify that data stored in client side storage (such as
HTML5 local storage, session storage, IndexedDB, *regular cookies
or Flash cookies*) does not contain sensitive data or PII.
"Flash cookies" should be avoided already by V1.14.6:
V1.14.7 Verify the application does not use unsupported, insecure,
or deprecated client-side technologies such as NSAPI plugins,
Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java
applets.
No Flash, no Flash cookies.
Proposal:
V8.2.2 Verify that data stored in client side storage (such as
HTML5 local storage, session storage, IndexedDB, *cookies*) does
not contain sensitive data or PII.
Additional questions:
* "local storage" vs "localStorage"
* "session storage" vs "sessionStorage"
* "PII" vs "Personally Identifiable Information (PII)"
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#796>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEBYCJPND2BTORQGHRASMDRUBGX7ANCNFSM4NOOISEA>.
--
Jim Manico
Manicode Security
https://www.manicode.com
|
|
Updated cookies,
@elarlang Please open a separate issue with any sources to support which way it should be
@elarlang Please add this to the other issue where you mention non-upper case acronyms. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
V8.2.2
Current:
"Flash cookies" should be avoided already by V1.14.6:
No Flash, no Flash cookies.
Proposal:
Additional questions:
The text was updated successfully, but these errors were encountered: