You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
@@ -245,7 +233,6 @@ However, you must be very careful as there are CSRF exploits that can impact JSO
245
233
For example, a malicious user can create a http://blog.opensecurityresearch.com/2012/02/json-csrf-with-parameter-padding.html[CSRF with JSON using the following form]:
@@ -254,13 +241,11 @@ For example, a malicious user can create a http://blog.opensecurityresearch.com/
254
241
value="Win Money!"/>
255
242
</form>
256
243
----
257
-
====
258
244
259
245
260
246
This will produce the following JSON structure
261
247
262
248
.CSRF with JSON request
263
-
====
264
249
[source,javascript]
265
250
----
266
251
{ "amount": 100,
@@ -269,13 +254,11 @@ This will produce the following JSON structure
269
254
"ignore_me": "=test"
270
255
}
271
256
----
272
-
====
273
257
274
258
If an application were not validating the Content-Type, then it would be exposed to this exploit.
275
259
Depending on the setup, a Spring MVC application that validates the Content-Type could still be exploited by updating the URL suffix to end with `.json` as shown below:
The optional `includeSubDomains` directive instructs the browser that subdomains (e.g. secure.mybank.example.com) should also be treated as an HSTS domain.
148
140
@@ -247,25 +239,21 @@ A security policy contains a set of security policy directives, each responsible
247
239
For example, a web application can declare that it expects to load scripts from specific, trusted sources, by including the following header in the response:
An attempt to load a script from another source other than what is declared in the `script-src` directive will be blocked by the user-agent.
258
248
Additionally, if the https://www.w3.org/TR/CSP2/#directive-report-uri[report-uri] directive is declared in the security policy, then the violation will be reported by the user-agent to the declared URL.
259
249
260
250
For example, if a web application violates the declared security policy, the following response header will instruct the user-agent to send violation reports to the URL specified in the policy's `report-uri` directive.
https://www.w3.org/TR/CSP2/#violation-reports[Violation reports] are standard JSON structures that can be captured either by the web application's own API or by a publicly hosted CSP violation reporting service, such as, https://report-uri.com/.
271
259
@@ -276,12 +264,10 @@ When a policy is deemed effective, it can be enforced by using the `Content-Secu
276
264
Given the following response header, the policy declares that scripts may be loaded from one of two possible sources.
If the site violates this policy, by attempting to load a script from _evil.com_, the user-agent will send a violation report to the declared URL specified by the _report-uri_ directive, but still allow the violating resource to load nevertheless.
287
273
@@ -308,12 +294,10 @@ page the user was on.
308
294
Spring Security's approach is to use https://www.w3.org/TR/referrer-policy/[Referrer Policy] header, which provides different https://www.w3.org/TR/referrer-policy/#referrer-policies[policies]:
309
295
310
296
.Referrer Policy Example
311
-
====
312
297
[source]
313
298
----
314
299
Referrer-Policy: same-origin
315
300
----
316
-
====
317
301
318
302
The Referrer-Policy response header instructs the browser to let the destination knows the source where the user was previously.
319
303
@@ -328,12 +312,10 @@ Refer to the relevant sections to see how to configure both xref:servlet/exploit
328
312
https://wicg.github.io/feature-policy/[Feature Policy] is a mechanism that allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser.
329
313
330
314
.Feature Policy Example
331
-
====
332
315
[source]
333
316
----
334
317
Feature-Policy: geolocation 'self'
335
318
----
336
-
====
337
319
338
320
With Feature Policy, developers can opt-in to a set of "policies" for the browser to enforce on specific features used throughout your site.
339
321
These policies restrict what APIs the site can access or modify the browser's default behavior for certain features.
@@ -350,12 +332,10 @@ Refer to the relevant sections to see how to configure both xref:servlet/exploit
350
332
https://w3c.github.io/webappsec-permissions-policy/[Permissions Policy] is a mechanism that allows web developers to selectively enable, disable, and modify the behavior of certain APIs and web features in the browser.
351
333
352
334
.Permissions Policy Example
353
-
====
354
335
[source]
355
336
----
356
337
Permissions-Policy: geolocation=(self)
357
338
----
358
-
====
359
339
360
340
With Permissions Policy, developers can opt-in to a set of "policies" for the browser to enforce on specific features used throughout your site.
361
341
These policies restrict what APIs the site can access or modify the browser's default behavior for certain features.
0 commit comments