Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

window.opener exploitable & security headers missing? #29

Open
Arinerron opened this issue Feb 28, 2017 · 1 comment
Open

window.opener exploitable & security headers missing? #29

Arinerron opened this issue Feb 28, 2017 · 1 comment
Labels
T-bug Type: Bug

Comments

@Arinerron
Copy link

If I were you, I'd add rel="noopener noreferrer" to links to external urls so people can't exploit window.opener. Not very serious, but worth doing. Read more

I know, I know. Everybody hates when others tell them they are missing security headers. Is there any reason why the X-XSS-Protection header is not set? There are a few others I'd add too, but these depend on how the site is set up:

  • Strict-Transport-Security: Require use of HTTPS
  • Content-Security-Policy: Mitigates some XSS attacks
  • Public-Key-Pins: Prevents MiTM attacks using rouge X.509 certs if the CA is compromised
  • X-Frame-Options: Stops clickjacking attacks
  • X-Content-Type-Options: Stops browser from MIME-sniffing
@mzhang28
Copy link
Member

mzhang28 commented Mar 1, 2017

  • window.opener
  • strict transport security
  • csp
  • public key pins
  • x-frame-options
  • x-content-type-options

@remexre remexre added T-bug Type: Bug C-meta "Component": Metabug or Tracking Issue and removed C-meta "Component": Metabug or Tracking Issue labels Nov 1, 2018
@remexre remexre assigned remexre and unassigned remexre Nov 1, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
T-bug Type: Bug
Projects
None yet
Development

No branches or pull requests

3 participants