From 95bda17770657c093de167d79a82b381fc319858 Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Thu, 16 Nov 2023 13:41:04 +0200 Subject: [PATCH 1/6] First batch of @tghosth suggested changes --- 5.0/en/0x50-V50-attacks-via-browser.md | 67 +++++++++----------------- 1 file changed, 23 insertions(+), 44 deletions(-) diff --git a/5.0/en/0x50-V50-attacks-via-browser.md b/5.0/en/0x50-V50-attacks-via-browser.md index 507bdb9602..a0eeb3ba09 100644 --- a/5.0/en/0x50-V50-attacks-via-browser.md +++ b/5.0/en/0x50-V50-attacks-via-browser.md @@ -1,32 +1,13 @@ -# V50 Defense against attacks via browser +# V50 Browser-based Attacks note: all category names, section names and file name will be most likely renamed in the future. -The category focuses on requirements which must take down attacks via victim browser and contain requirements which we don't need for verifying machine-to-machine solutions. +The category focuses on requirements which protect against attacks via that are excecuted via a victim browser. These requirements will not be relevant for machine-to-machine solutions. -## V50.1 Site Isolation Architecture +## V50.1 Browser Origin Separation -| # | Description | L1 | L2 | L3 | CWE | Issue | -| :---: | :--- | :---: | :---: | :---: | :---: | :---: | -| **50.1.1** | [ADDED] Verify that separate applications are hosted on different hostnames so as to benefit from the protections provided by the "same origin policy" and the hostname restrictions on cookies. | ✓ | ✓ | ✓ | 668 | [#1299](https://github.com/OWASP/ASVS/issues/1299) | - - -## V50.2 HTTP Security Headers - -| # | Description | L1 | L2 | L3 | CWE | -| :---: | :--- | :---: | :---: | :---: | :---: | -| **14.4.3** | [MODIFIED] Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, CSS, JSON, and JavaScript injection vulnerabilities. | ✓ | ✓ | ✓ | 1021 | -| **14.4.4** | Verify that all responses contain a X-Content-Type-Options: nosniff header. | ✓ | ✓ | ✓ | 116 | -| **14.4.5** | [MODIFIED] Verify that a Strict-Transport-Security header is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=31536000; includeSubdomains. | ✓ | ✓ | ✓ | 523 | -| **14.4.6** | Verify that a suitable Referrer-Policy header is included to avoid exposing sensitive information in the URL through the Referer header to untrusted parties. | ✓ | ✓ | ✓ | 116 | -| **14.4.7** | Verify that the content of a web application cannot be embedded in a third-party site by default and that embedding of the exact resources is only allowed where necessary by using suitable Content-Security-Policy: frame-ancestors and X-Frame-Options response headers. | ✓ | ✓ | ✓ | 1021 | -| **14.4.8** | [ADDED, SPLIT FROM 14.5.3] Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted origins. When "Access-Control-Allow-Origin: *" needs to be used, verify that the responses do not include any sensitive information. | ✓ | ✓ | ✓ | 183 | - - -## V50.3 TBD - -titles: +Other possible titles: * confused deputy * request origin * cors setup @@ -43,48 +24,46 @@ note: tags and numbers for requirements are not changed, at the moment the goal | # | Description | L1 | L2 | L3 | CWE | Issue | | :---: | :--- | :---: | :---: | :---: | :---: | :---: | +| **50.1.1** | [ADDED] Verify that separate applications are hosted on different hostnames so as to benefit from the protections provided by the "same origin policy" and the hostname restrictions on cookies. | ✓ | ✓ | ✓ | 668 | [#1299](https://github.com/OWASP/ASVS/issues/1299) | +| **14.4.8** | [ADDED, SPLIT FROM 14.5.3] Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted origins. When "Access-Control-Allow-Origin: *" needs to be used, verify that the responses do not include any sensitive information. | ✓ | ✓ | ✓ | 183 | | **4.2.2** | [MODIFIED, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality using the development framework's built-in anti-CSRF functionality or CSRF tokens plus additional defense in depth measures. | ✓ | ✓ | ✓ | 352 | [#1652](https://github.com/OWASP/ASVS/issues/1652) | | **4.2.3** | [ADDED] Verify that messages received by the postMessage interface are discarded if the origin of the message is not trusted, or if the syntax of the message is invalid. | | ✓ | ✓ | 346 | [#1230](https://github.com/OWASP/ASVS/issues/1230) | | **14.5.3** | [MODIFIED, SPLIT TO 14.4.8] Verify that the Origin header is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy. | ✓ | ✓ | ✓ | 346 | [#1230](https://github.com/OWASP/ASVS/issues/1230) | +## V50.2 Browser Security Configuration Headers + +| # | Description | L1 | L2 | L3 | CWE | +| :---: | :--- | :---: | :---: | :---: | :---: | +| **14.4.3** | [MODIFIED] Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, CSS, JSON, and JavaScript injection vulnerabilities. | ✓ | ✓ | ✓ | 1021 | +| **14.4.4** | Verify that all responses contain a X-Content-Type-Options: nosniff header. | ✓ | ✓ | ✓ | 116 | +| **14.4.5** | [MODIFIED] Verify that a Strict-Transport-Security header is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=31536000; includeSubdomains. | ✓ | ✓ | ✓ | 523 | +| **14.4.6** | Verify that a suitable Referrer-Policy header is included to avoid exposing sensitive information in the URL through the Referer header to untrusted parties. | ✓ | ✓ | ✓ | 116 | +| **14.4.7** | Verify that the content of a web application cannot be embedded in a third-party site by default and that embedding of the exact resources is only allowed where necessary by using suitable Content-Security-Policy: frame-ancestors and X-Frame-Options response headers. | ✓ | ✓ | ✓ | 1021 | + -## V50.4 XSSI +## V50.3 XSSI | # | Description | L1 | L2 | L3 | CWE | Issue | | :---: | :--- | :---: | :---: | :---: | :---: | :---: | | **50.3.1** | [ADDED] Verify that JSONP functionality is not enabled anywhere across the application to avoid Cross-Site Script Inclusion (XSSI) attacks. | | ✓ | ✓ | | [#903](https://github.com/OWASP/ASVS/issues/903) | | **50.3.2** | [ADDED] Verify that sensitive information is not present in JavaScript files to avoid Cross-Site Script Inclusion (XSSI) attacks. | | ✓ | ✓ | | [#903](https://github.com/OWASP/ASVS/issues/903) | - - -## V50.5 Unintended Content Execution - +## V50.4 Unintended Content Interpretation | # | Description | L1 | L2 | L3 | CWE | Issue | | :---: | :--- | :---: | :---: | :---: | :---: | :---: | -| **14.4.1** | [MODIFIED, SPLIT TO 14.4.9] Verify that every HTTP response contains a Content-Type header which matches the actual content of the response. | ✓ | ✓ | ✓ | 173 | -| **14.4.9** | [ADDED, SPLIT FROM 14.4.1] Verify that if a response specifies a Content-Type of "text/\*", "\*/\*+xml" and "\*/xml", it also specifies a safe character set (e.g., UTF-8, ISO-8859-1) with the charset parameter. | ✓ | ✓ | ✓ | 173 | | **12.5.2** | [GRAMMAR] Verify that direct requests to uploaded files will never be executed as HTML and JavaScript content. | ✓ | ✓ | ✓ | 434 | - | | **1.12.2** | [MODIFIED] Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. | | ✓ | ✓ | 646 | [#1406](https://github.com/OWASP/ASVS/issues/1406) | | **50.4.2** | [PROPOSED] Verify that if a client navigates to a resource (template, API response) which are not meant to be accessed directly, the application have defense (not serving the response, serving as an attachment or sandboxed content) to avoid rendering the response in browser or showing content and functionality out of context. | | ✓ | ✓ | | [#1009](https://github.com/OWASP/ASVS/issues/1009) | - -note: current 14.4.1 + 14.4.9 suits here, but need to rethink do we need them also for machine-to-machine solution for some reason - - -## V50.6 External Resource Integrity +## V50.5 External Resource Integrity | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | | **14.2.3** | [MODIFIED] Verify that if client-side assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content Delivery Network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset. | ✓ | ✓ | ✓ | 829 | +## V50.6 Other Browser Security Considerations -## V50.7 WebSocket - -here? - - - \ No newline at end of file +| # | Description | L1 | L2 | L3 | CWE | +| :---: | :--- | :---: | :---: | :---: | :---: | +| **50.6.1** | [ADDED] outcome from https://github.com/OWASP/ASVS/issues/959#issuecomment-1172990290 - "_Verify that the web application warns users using an old browser that does not support HTTP security features on which the application relies._" | ✓ | ✓ | ✓ | ? | From 343337a445dc117e57bdaf84e6ba1be704727bca Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Thu, 16 Nov 2023 13:42:52 +0200 Subject: [PATCH 2/6] Fix a typo --- 5.0/en/0x50-V50-attacks-via-browser.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/5.0/en/0x50-V50-attacks-via-browser.md b/5.0/en/0x50-V50-attacks-via-browser.md index a0eeb3ba09..c33832d774 100644 --- a/5.0/en/0x50-V50-attacks-via-browser.md +++ b/5.0/en/0x50-V50-attacks-via-browser.md @@ -2,8 +2,7 @@ note: all category names, section names and file name will be most likely renamed in the future. -The category focuses on requirements which protect against attacks via that are excecuted via a victim browser. These requirements will not be relevant for machine-to-machine solutions. - +The category focuses on requirements which protect against attacks via that are executed via a victim browser. These requirements will not be relevant for machine-to-machine solutions. ## V50.1 Browser Origin Separation From af385153cb73b4f58308590246bb79a32ad59726 Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Thu, 16 Nov 2023 13:46:09 +0200 Subject: [PATCH 3/6] Change moves to make diff easier --- 5.0/en/0x50-V50-attacks-via-browser.md | 29 +++++++++++++++----------- 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/5.0/en/0x50-V50-attacks-via-browser.md b/5.0/en/0x50-V50-attacks-via-browser.md index c33832d774..e262bc5693 100644 --- a/5.0/en/0x50-V50-attacks-via-browser.md +++ b/5.0/en/0x50-V50-attacks-via-browser.md @@ -4,7 +4,23 @@ note: all category names, section names and file name will be most likely rename The category focuses on requirements which protect against attacks via that are executed via a victim browser. These requirements will not be relevant for machine-to-machine solutions. -## V50.1 Browser Origin Separation +## V50.1 Site Isolation Architecture + +| # | Description | L1 | L2 | L3 | CWE | Issue | +| :---: | :--- | :---: | :---: | :---: | :---: | :---: | +| **50.1.1** | REMOVE SECTION. | | | | | | + +## V50.2 Browser Security Configuration Headers + +| # | Description | L1 | L2 | L3 | CWE | +| :---: | :--- | :---: | :---: | :---: | :---: | +| **14.4.3** | [MODIFIED] Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, CSS, JSON, and JavaScript injection vulnerabilities. | ✓ | ✓ | ✓ | 1021 | +| **14.4.4** | Verify that all responses contain a X-Content-Type-Options: nosniff header. | ✓ | ✓ | ✓ | 116 | +| **14.4.5** | [MODIFIED] Verify that a Strict-Transport-Security header is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=31536000; includeSubdomains. | ✓ | ✓ | ✓ | 523 | +| **14.4.6** | Verify that a suitable Referrer-Policy header is included to avoid exposing sensitive information in the URL through the Referer header to untrusted parties. | ✓ | ✓ | ✓ | 116 | +| **14.4.7** | Verify that the content of a web application cannot be embedded in a third-party site by default and that embedding of the exact resources is only allowed where necessary by using suitable Content-Security-Policy: frame-ancestors and X-Frame-Options response headers. | ✓ | ✓ | ✓ | 1021 | + +## V50.3 Browser Origin Separation Other possible titles: * confused deputy @@ -29,17 +45,6 @@ note: tags and numbers for requirements are not changed, at the moment the goal | **4.2.3** | [ADDED] Verify that messages received by the postMessage interface are discarded if the origin of the message is not trusted, or if the syntax of the message is invalid. | | ✓ | ✓ | 346 | [#1230](https://github.com/OWASP/ASVS/issues/1230) | | **14.5.3** | [MODIFIED, SPLIT TO 14.4.8] Verify that the Origin header is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy. | ✓ | ✓ | ✓ | 346 | [#1230](https://github.com/OWASP/ASVS/issues/1230) | -## V50.2 Browser Security Configuration Headers - -| # | Description | L1 | L2 | L3 | CWE | -| :---: | :--- | :---: | :---: | :---: | :---: | -| **14.4.3** | [MODIFIED] Verify that a Content Security Policy (CSP) response header is in place that helps mitigate impact for XSS attacks like HTML, DOM, CSS, JSON, and JavaScript injection vulnerabilities. | ✓ | ✓ | ✓ | 1021 | -| **14.4.4** | Verify that all responses contain a X-Content-Type-Options: nosniff header. | ✓ | ✓ | ✓ | 116 | -| **14.4.5** | [MODIFIED] Verify that a Strict-Transport-Security header is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=31536000; includeSubdomains. | ✓ | ✓ | ✓ | 523 | -| **14.4.6** | Verify that a suitable Referrer-Policy header is included to avoid exposing sensitive information in the URL through the Referer header to untrusted parties. | ✓ | ✓ | ✓ | 116 | -| **14.4.7** | Verify that the content of a web application cannot be embedded in a third-party site by default and that embedding of the exact resources is only allowed where necessary by using suitable Content-Security-Policy: frame-ancestors and X-Frame-Options response headers. | ✓ | ✓ | ✓ | 1021 | - - ## V50.3 XSSI | # | Description | L1 | L2 | L3 | CWE | Issue | From 2912a83c5c73cf3941f47c5838baed69da7611ed Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Thu, 16 Nov 2023 13:48:38 +0200 Subject: [PATCH 4/6] Fix numbering --- 5.0/en/0x50-V50-attacks-via-browser.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/5.0/en/0x50-V50-attacks-via-browser.md b/5.0/en/0x50-V50-attacks-via-browser.md index e262bc5693..ee8903a407 100644 --- a/5.0/en/0x50-V50-attacks-via-browser.md +++ b/5.0/en/0x50-V50-attacks-via-browser.md @@ -45,14 +45,14 @@ note: tags and numbers for requirements are not changed, at the moment the goal | **4.2.3** | [ADDED] Verify that messages received by the postMessage interface are discarded if the origin of the message is not trusted, or if the syntax of the message is invalid. | | ✓ | ✓ | 346 | [#1230](https://github.com/OWASP/ASVS/issues/1230) | | **14.5.3** | [MODIFIED, SPLIT TO 14.4.8] Verify that the Origin header is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy. | ✓ | ✓ | ✓ | 346 | [#1230](https://github.com/OWASP/ASVS/issues/1230) | -## V50.3 XSSI +## V50.4 XSSI | # | Description | L1 | L2 | L3 | CWE | Issue | | :---: | :--- | :---: | :---: | :---: | :---: | :---: | | **50.3.1** | [ADDED] Verify that JSONP functionality is not enabled anywhere across the application to avoid Cross-Site Script Inclusion (XSSI) attacks. | | ✓ | ✓ | | [#903](https://github.com/OWASP/ASVS/issues/903) | | **50.3.2** | [ADDED] Verify that sensitive information is not present in JavaScript files to avoid Cross-Site Script Inclusion (XSSI) attacks. | | ✓ | ✓ | | [#903](https://github.com/OWASP/ASVS/issues/903) | -## V50.4 Unintended Content Interpretation +## V50.5 Unintended Content Interpretation | # | Description | L1 | L2 | L3 | CWE | Issue | | :---: | :--- | :---: | :---: | :---: | :---: | :---: | @@ -60,13 +60,13 @@ note: tags and numbers for requirements are not changed, at the moment the goal | **1.12.2** | [MODIFIED] Verify that user-uploaded files - if required to be displayed or downloaded from the application - are served by either octet stream downloads, or from an unrelated domain, such as a cloud file storage bucket. | | ✓ | ✓ | 646 | [#1406](https://github.com/OWASP/ASVS/issues/1406) | | **50.4.2** | [PROPOSED] Verify that if a client navigates to a resource (template, API response) which are not meant to be accessed directly, the application have defense (not serving the response, serving as an attachment or sandboxed content) to avoid rendering the response in browser or showing content and functionality out of context. | | ✓ | ✓ | | [#1009](https://github.com/OWASP/ASVS/issues/1009) | -## V50.5 External Resource Integrity +## V50.6 External Resource Integrity | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | | **14.2.3** | [MODIFIED] Verify that if client-side assets, such as JavaScript libraries, CSS or web fonts, are hosted externally on a Content Delivery Network (CDN) or external provider, Subresource Integrity (SRI) is used to validate the integrity of the asset. | ✓ | ✓ | ✓ | 829 | -## V50.6 Other Browser Security Considerations +## V50.7 Other Browser Security Considerations | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | From b80fc0c7987a8a9fa398aec4f3f2d9b313352d29 Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Thu, 23 Nov 2023 16:34:32 +0200 Subject: [PATCH 5/6] Changes following discussion between Josh and Elar --- 5.0/en/0x50-V50-attacks-via-browser.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/5.0/en/0x50-V50-attacks-via-browser.md b/5.0/en/0x50-V50-attacks-via-browser.md index ee8903a407..294bd711c4 100644 --- a/5.0/en/0x50-V50-attacks-via-browser.md +++ b/5.0/en/0x50-V50-attacks-via-browser.md @@ -1,16 +1,16 @@ -# V50 Browser-based Attacks +# V50 Web Frontend Security note: all category names, section names and file name will be most likely renamed in the future. -The category focuses on requirements which protect against attacks via that are executed via a victim browser. These requirements will not be relevant for machine-to-machine solutions. +The category focuses on requirements which protect against attacks that are executed via a web frontend for an application. These requirements will not be relevant for machine-to-machine solutions. ## V50.1 Site Isolation Architecture | # | Description | L1 | L2 | L3 | CWE | Issue | | :---: | :--- | :---: | :---: | :---: | :---: | :---: | -| **50.1.1** | REMOVE SECTION. | | | | | | +| **50.1.1** | [ADDED] Verify that separate applications are hosted on different hostnames so as to benefit from the protections provided by the "same origin policy" and the hostname restrictions on cookies. | ✓ | ✓ | ✓ | 668 | [#1299](https://github.com/OWASP/ASVS/issues/1299) | -## V50.2 Browser Security Configuration Headers +## V50.2 Browser Security Mechanism Headers | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | @@ -19,6 +19,7 @@ The category focuses on requirements which protect against attacks via that are | **14.4.5** | [MODIFIED] Verify that a Strict-Transport-Security header is included on all responses and for all subdomains, such as Strict-Transport-Security: max-age=31536000; includeSubdomains. | ✓ | ✓ | ✓ | 523 | | **14.4.6** | Verify that a suitable Referrer-Policy header is included to avoid exposing sensitive information in the URL through the Referer header to untrusted parties. | ✓ | ✓ | ✓ | 116 | | **14.4.7** | Verify that the content of a web application cannot be embedded in a third-party site by default and that embedding of the exact resources is only allowed where necessary by using suitable Content-Security-Policy: frame-ancestors and X-Frame-Options response headers. | ✓ | ✓ | ✓ | 1021 | +| **14.4.8** | [ADDED, SPLIT FROM 14.5.3] Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted origins. When "Access-Control-Allow-Origin: *" needs to be used, verify that the responses do not include any sensitive information. | ✓ | ✓ | ✓ | 183 | ## V50.3 Browser Origin Separation @@ -39,8 +40,6 @@ note: tags and numbers for requirements are not changed, at the moment the goal | # | Description | L1 | L2 | L3 | CWE | Issue | | :---: | :--- | :---: | :---: | :---: | :---: | :---: | -| **50.1.1** | [ADDED] Verify that separate applications are hosted on different hostnames so as to benefit from the protections provided by the "same origin policy" and the hostname restrictions on cookies. | ✓ | ✓ | ✓ | 668 | [#1299](https://github.com/OWASP/ASVS/issues/1299) | -| **14.4.8** | [ADDED, SPLIT FROM 14.5.3] Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted origins. When "Access-Control-Allow-Origin: *" needs to be used, verify that the responses do not include any sensitive information. | ✓ | ✓ | ✓ | 183 | | **4.2.2** | [MODIFIED, MERGED FROM 13.2.3] Verify that the application defends against Cross-Site Request Forgery (CSRF) attacks to protect authenticated or sensitive public functionality using the development framework's built-in anti-CSRF functionality or CSRF tokens plus additional defense in depth measures. | ✓ | ✓ | ✓ | 352 | [#1652](https://github.com/OWASP/ASVS/issues/1652) | | **4.2.3** | [ADDED] Verify that messages received by the postMessage interface are discarded if the origin of the message is not trusted, or if the syntax of the message is invalid. | | ✓ | ✓ | 346 | [#1230](https://github.com/OWASP/ASVS/issues/1230) | | **14.5.3** | [MODIFIED, SPLIT TO 14.4.8] Verify that the Origin header is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy. | ✓ | ✓ | ✓ | 346 | [#1230](https://github.com/OWASP/ASVS/issues/1230) | From 1fdf8ccc8fd53880418134fb296ce0bf3a9c354a Mon Sep 17 00:00:00 2001 From: Josh Grossman Date: Thu, 23 Nov 2023 16:37:14 +0200 Subject: [PATCH 6/6] Linting issues --- 5.0/en/0x50-V50-attacks-via-browser.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/5.0/en/0x50-V50-attacks-via-browser.md b/5.0/en/0x50-V50-attacks-via-browser.md index 294bd711c4..b4ca47da43 100644 --- a/5.0/en/0x50-V50-attacks-via-browser.md +++ b/5.0/en/0x50-V50-attacks-via-browser.md @@ -24,6 +24,7 @@ The category focuses on requirements which protect against attacks that are exec ## V50.3 Browser Origin Separation Other possible titles: + * confused deputy * request origin * cors setup @@ -33,8 +34,9 @@ When accepting request on the server side, we need to be sure it is initiated by The keywords here are browser security policies like Same Origin Policy for JavaScript and also SameSite logic for cookies. The category should contain requirements with idea: - * Verify that request was initiated by trusted party (CSRF, CORS misconfiguration) - * Verify that the response is readable only for trusted parties (CORS misconfiguration) + +* Verify that request was initiated by trusted party (CSRF, CORS misconfiguration) +* Verify that the response is readable only for trusted parties (CORS misconfiguration) note: tags and numbers for requirements are not changed, at the moment the goal is to verify the idea and concept of the category