-
-
Notifications
You must be signed in to change notification settings - Fork 666
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
task - define and check usage of host and domain #989
Comments
This is a good catch. I like the suggestion and I wonder the best way to do this? There's no appendix so is there a need to define it in the beginning or can we define it upon first use of the term? |
I just made the task to not forget it :) I think it's enough to describe them both in: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x90-Appendix-A_Glossary.md and just check and validate, that all requirements and entire document follow those definitions. |
Collecting sources: https://developer.mozilla.org/en-US/docs/Web/API/Location
|
Sources that show the variance over time when it comes to these terms:
https://tantek.com/2011/238/b1/many-ways-slice-url-name-pieces
|
Seems mission impossible and close? |
Origin: Two URLs have the same origin if the protocol, port (if specified), and host are the same for both https://datatracker.ietf.org/doc/html/rfc6454#section-3.2 Host: The same RFC above also says: "If user agents did not include the scheme, there would be no isolation between http://example.com and https://example.com because the two have the same host." from this I think we can deduce what host is. Domain: is just site.com - what you register. |
Found requirements: Requirement contains "Host":
Requirement contains "Domain":
Requirement contains "Origin":
From this list for me it seems, that 14.4.8 and 14.5.3 may need update. Proposals:
|
My small edits: V14.4.8 [ADDED] Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted origins. When "Access-Control-Allow-Origin: *" needs to be used, verify that the responses do not include any sensitive information. V14.5.3 [MODIFIED] Verify that the Origin header is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy. |
Task from #978 (comment), pointed out by @timhemel
Define for ASVS what is meant by "Host", "Domain" or "Host or Domain" and check that entire document and every requirement follow it.
The text was updated successfully, but these errors were encountered: