Fix spellings (#157)

* Update framing-isolation.md * Update navigation-isolation.md * Update resource-isolation.md * Update same-site-cookies.md * Update connection-pool.md * Update performance-api.md * Update navigations.md * Update css-injection.md * Update error-events.md * Update cache-probing.md * Update cache-probing.md * Update css-tricks.md * Update css-tricks.md * Update css-tricks.md
xsleaks · Apr 21, 2024 · 4405bee · 4405bee
1 parent 796fe41
commit 4405bee
Show file tree

Hide file tree

Showing 11 changed files with 16 additions and 16 deletions.
diff --git a/content/docs/attacks/cache-probing.md b/content/docs/attacks/cache-probing.md
@@ -60,15 +60,15 @@ It's also possible to remove resources from cache without server errors. For exa
 
 ## CORS error on Origin Reflection misconfiguration
 
-Origin reflection is a behavior in which a globally accessible resource is provided with a [Access-Control-Allow-Orign (ACAO)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header whose value reflects the origin that initialized the request. This can be considered as CORS misconfiguration [^5] and can be used to detect whether the resource exists in the browser cache.
+Origin reflection is a behavior in which a globally accessible resource is provided with a [Access-Control-Allow-Origin (ACAO)](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin) header whose value reflects the origin that initialized the request. This can be considered as CORS misconfiguration [^5] and can be used to detect whether the resource exists in the browser cache.
 
 {{< hint info >}} 
 For example, Flask framework [promotes](https://flask-cors.readthedocs.io/en/latest/api.htm) origin reflection as the default behavior.
 {{< /hint >}}
 
 If a resource hosted on `server.com` is requested from `target.com` then the origin could be reflected in the response headers as: `Access-Control-Allow-Origin: target.com`. If the resource is cached, this information is stored together with the resource in the browser cache. With that, if `attacker.com` tries to fetch the same resource there are two possible scenarios:
 - The resource is not in cache: the resource could be fetched and stored together with the `Access-Control-Allow-Origin: attacker.com` header.
-- The resource was already in cache: fetch attempt will try to fetch the resource from the cache but it will also generate a CORS error due to the ACAO header value mismatch with the requesting origin (`target.com` origin was expected but `attacker.com` was provided). Here below is provided an example code snippet epxloting this vulnerability to infer the cache status of the victim's browser. [Run demo](https://xsinator.com/testing.html#Cache%20Leak%20(CORS))
+- The resource was already in cache: fetch attempt will try to fetch the resource from the cache but it will also generate a CORS error due to the ACAO header value mismatch with the requesting origin (`target.com` origin was expected but `attacker.com` was provided). Here below is provided an example code snippet exploiting this vulnerability to infer the cache status of the victim's browser. [Run demo](https://xsinator.com/testing.html#Cache%20Leak%20(CORS))
 ```javascript
 // The function simply takes a url and fetches it in CORS mode.
 // If the fetch raises an error, it will be a CORS error due to the 

diff --git a/content/docs/attacks/css-injection.md b/content/docs/attacks/css-injection.md
@@ -26,8 +26,8 @@ Larger text dimensions can result in the scroll bar being shown,
 This scroll bar can have a custom style such as `background: url()` so that it makes a request to an attacker-controlled server when shown. [^3]
 
 ## Defense
-- Put attacker controled content in its own document this can be done using a iframe with the srcdoc attribute.
-Optionaly include the sandbox attbute to isolate the content into its own origin.
+- Put attacker controlled content in its own document this can be done using a iframe with the srcdoc attribute.
+Optionally include the sandbox attribute to isolate the content into its own origin.
 - Use a CSS inliner so global styles get converted.
 
 | [SameSite Cookies (Lax)]({{< ref "/docs/defenses/opt-in/same-site-cookies.md" >}}) | [COOP]({{< ref "/docs/defenses/opt-in/coop.md" >}}) | [Framing Protections]({{< ref "/docs/defenses/opt-in/xfo.md" >}}) |                  [Isolation Policies]({{< ref "/docs/defenses/isolation-policies" >}})                   |

diff --git a/content/docs/attacks/css-tricks.md b/content/docs/attacks/css-tricks.md
@@ -20,7 +20,7 @@ CSS can be used to trick a user into exposing information such as embedded pixel
 
 ## Retrieving user's history
 Using the CSS [`:visited`](https://developer.mozilla.org/en-US/docs/Web/CSS/:visited) selector, it’s possible to apply a different style for URLs that have been visited.  
-Previously it was possible to use [`getComputedStyle()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle) to detect this difference, but now browsers prevent this by always returing values as if the link was visted and limiting what styles can be applyed using the selector. [^changes-1]   
+Previously it was possible to use [`getComputedStyle()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/getComputedStyle) to detect this difference, but now browsers prevent this by always returning values as if the link was visited and limiting what styles can be applied using the selector. [^changes-1]   
 So, it may be needed to trick the user into clicking an area that the CSS has affected.
 This can be done using [`mix-blend-mode`](https://developer.mozilla.org/en-US/docs/Web/CSS/mix-blend-mode). [^blend-mode]   
 There are also ways to do it without user interaction such as by abusing render timings.
@@ -32,8 +32,8 @@ Multiple bugs were reported about this issue: [^bug-1](https://bugs.chromium.org
 ## Evil Captcha
 Using CSS, it’s possible to take an embed out of context.  
 An example of this is pretending it’s a captcha as seen in [^leak-2]  
-This works by setting the width and hight of an embed so that only the target characters are shown,
-this may use multiple embeds to change the order of the characters being displayed so that its harder for a user to know what infomation they're providing.
+This works by setting the width and height of an embed so that only the target characters are shown,
+this may use multiple embeds to change the order of the characters being displayed so that its harder for a user to know what information they're providing.
 
 ## Abusing autocomplete
 If a website uses text inputs and does not opt-out of [autocomplete](https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/autocomplete) using ```autocomplete="off"``` it may be possible to leak data such as email addresses by tricking the user into pressing the keys to navigate the autocomplete UI for a javascript focused text input.

diff --git a/content/docs/attacks/error-events.md b/content/docs/attacks/error-events.md
@@ -48,7 +48,7 @@ probeError('https://google.com/');
 
 ## Defense
 
-The mitigation of this XS-Leak often varies depending on how applications handle certain resources. The general approach is to adopt consistent behaviors whereever possible. In specific scenarios, applications might use [Subresource Protections]({{< ref "/docs/defenses/design-protections/subresource-protections.md" >}}) to prevent attackers from predicting a URL and going forward with an attack.
+The mitigation of this XS-Leak often varies depending on how applications handle certain resources. The general approach is to adopt consistent behaviors wherever possible. In specific scenarios, applications might use [Subresource Protections]({{< ref "/docs/defenses/design-protections/subresource-protections.md" >}}) to prevent attackers from predicting a URL and going forward with an attack.
 
 Finally, without applying bigger changes in the logic of applications, generic web platform security features can be deployed to mitigate this XS-Leak at a larger scale.
 

diff --git a/content/docs/attacks/navigations.md b/content/docs/attacks/navigations.md
@@ -120,9 +120,9 @@ setTimeout(() => {
 ## Server-Side Redirects
 
 ### Max redirects
-When a page initiates a chain of 3XX redirects, browsers limit the maximum number of redirects to 20 [^spec-redirects]. This can be used to detect the exact number of redirects occured for a cross-origin page by following the below approach [^redirect-leak]:
+When a page initiates a chain of 3XX redirects, browsers limit the maximum number of redirects to 20 [^spec-redirects]. This can be used to detect the exact number of redirects occurred for a cross-origin page by following the below approach [^redirect-leak]:
 1. As a malicious website, initiate 19 redirects and make the final 20th redirect to the attacked page.
-2. If the browser threw a network error, at least one redirect occured. Repeat the process with 18 redirects.
+2. If the browser threw a network error, at least one redirect occurred. Repeat the process with 18 redirects.
 3. If the browser didn't threw a network error, the number of redirects is known as `20 - issued_redirects`.
 
 *To detect an error one can use [Error Events]({{< ref "/docs/attacks/error-events.md" >}})*

diff --git a/content/docs/attacks/timing-attacks/connection-pool.md b/content/docs/attacks/timing-attacks/connection-pool.md
@@ -106,7 +106,7 @@ async function isConnected2(url, max = 50) {
 await isConnected2('https://example.com/404');
 ```
 
-## Skipping dependences
+## Skipping dependencies
 If a connection is exhausted or there’s to many sockets open then requests for code from a host may fail resulting in different behaviour.
 The following examples are by design a DoS attack for both the client and server.
 Open a lot of sockets: (ERR_CONNECTION_CLOSED, ERR_INSUFFICIENT_RESOURCES)

diff --git a/content/docs/attacks/timing-attacks/performance-api.md b/content/docs/attacks/timing-attacks/performance-api.md
@@ -68,7 +68,7 @@ await isFrameBlocked('https://example.org');
 # Detecting cached resources
 
 With the `performance` API it is possible to detect whether a resource was cached or not.
-Unless [Cross-Origin Read Blocking]({{< ref "../../defenses/secure-defaults/corb.md" >}}) is triggered (resource is html) the resource will get cached in the processs of the check.  [Run demo](https://xsinator.com/testing.html#Duration%20Redirect%20Leak)
+Unless [Cross-Origin Read Blocking]({{< ref "../../defenses/secure-defaults/corb.md" >}}) is triggered (resource is html) the resource will get cached in the process of the check.  [Run demo](https://xsinator.com/testing.html#Duration%20Redirect%20Leak)
 ```javascript
 async function ifCached2(url) {
     let href = new URL(url).href;

diff --git a/content/docs/defenses/isolation-policies/framing-isolation.md b/content/docs/defenses/isolation-policies/framing-isolation.md
@@ -22,7 +22,7 @@ When deployed together with [Resource Isolation Policy]({{< ref "resource-isolat
 
 ## Implementation with Fetch Metadata
 
-The below snippet showcases an example implemention of the Framing Isolation Policy by an application:
+The below snippet showcases an example implementation of the Framing Isolation Policy by an application:
 
 ```py
 # Reject cross-site requests to protect from CSRF, XSSI, XS-Leaks, and other bugs

diff --git a/content/docs/defenses/isolation-policies/navigation-isolation.md b/content/docs/defenses/isolation-policies/navigation-isolation.md
@@ -16,7 +16,7 @@ Instead of rejecting all cross-site interactions, the user could be prompted to
 
 ## Implementation with Fetch Metadata
 
-The below snippet showcases an example implemention of the Navigation Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers [^secmetadata]:
+The below snippet showcases an example implementation of the Navigation Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers [^secmetadata]:
 
 ```py
 # Reject cross-site requests to protect from clickjacking, XS-Leaks, and other bugs

diff --git a/content/docs/defenses/isolation-policies/resource-isolation.md b/content/docs/defenses/isolation-policies/resource-isolation.md
@@ -12,7 +12,7 @@ Resource Isolation Policy prevents external websites from requesting your resour
 
 ## Implementation with Fetch Metadata
 
-The below snippet showcases an example implemention of the Resource Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers:
+The below snippet showcases an example implementation of the Resource Isolation Policy with the use of [Fetch Metadata]({{< ref "../opt-in/fetch-metadata.md">}}) headers:
 
 ```py
 # Reject cross-origin requests to protect from , XSSI, XS-Leaks, and other bugs

diff --git a/content/docs/defenses/opt-in/same-site-cookies.md b/content/docs/defenses/opt-in/same-site-cookies.md
@@ -33,7 +33,7 @@ The following SameSite cookie modes are available:
 SameSite cookies are neither bulletproof [^2] nor can they fix everything. To complement this defense strategy against XS-Leaks, applications should consider implementing other, additional protections. For example, [COOP]({{< ref "coop.md" >}}) can prevent an attacker from controlling pages using a `window` reference after the first navigation even if SameSite cookies in `Lax` mode are used.
 
 {{< hint important >}}
-Some browers may not use the default of Lax, So explicitly set the SameSite attrbute to ensure its enforced. 
+Some browsers may not use the default of Lax, So explicitly set the SameSite attribute to ensure its enforced. 
 By default, cookies in Chrome without `SameSite` attribute will default to `Lax` mode. However, there is an exception for that behavior for cookies set less than 2 minutes ago that are sent via POST requests. [^3]
 
 [^3]: Cookies default to SameSite=Lax, [link](https://www.chromestatus.com/feature/5088147346030592)