Anti-spam team, Confirmed users
99
edits
User:Apking/Web Security Guidelines: Difference between revisions
User:Apking/Web Security Guidelines (view source)
Revision as of 17:36, 23 November 2016
, 23 November 2016tweaks
(tweaks) |
(tweaks) |
||
| Line 547: | Line 547: | ||
= Referrer Policy = | = Referrer Policy = | ||
When a user navigates to a site via a hyperlink or a | When a user navigates to a site via a hyperlink or a website loads an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP <tt>Referer</tt> (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk. HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP <tt>Referer</tt> header. | ||
In normal operation, if a page at https://example.com/page.html contains <tt><img src="https://not.example.com/image.jpg"></tt>, then the browser will send a request like this: | In normal operation, if a page at https://example.com/page.html contains <tt><nowiki><img src="https://not.example.com/image.jpg"></nowiki></tt>, then the browser will send a request like this: | ||
<pre>GET /image | <pre>GET /image.jpg HTTP/1.1 | ||
Host: not.example.com | Host: not.example.com | ||
Referer: https://example.com/page.html</pre> | Referer: https://example.com/page.html</pre> | ||
| Line 579: | Line 579: | ||
# Only send the shortened referrer to a foreign origin, full referrer to a local host | # Only send the shortened referrer to a foreign origin, full referrer to a local host | ||
Referrer-Policy: strict-origin-when-cross-origin | Referrer-Policy: strict-origin-when-cross-origin | ||
# Disable referrers for browsers that don't support strict-origin-when-cross-origin; uses | |||
# strict-origin-when-cross-origin for browsers that do | |||
Referrer-Policy: no-referrer, strict-origin-when-cross-origin | |||
# Do the same, but with a meta tag | # Do the same, but with a meta tag | ||
| Line 681: | Line 685: | ||
== Examples == | == Examples == | ||
<pre># Block site from being framed | <pre># Block site from being framed with X-Frame-Options and CSP | ||
Content-Security-Policy: frame-ancestors 'none' | |||
X-Frame-Options: DENY</pre> | X-Frame-Options: DENY</pre> | ||
<pre># Only allow my site to frame itself | <pre># Only allow my site to frame itself | ||
Content-Security-Policy: frame-ancestors 'self' | |||
X-Frame-Options: SAMEORIGIN</pre> | X-Frame-Options: SAMEORIGIN</pre> | ||
<pre># | <pre># Allow only framer.mozilla.org to frame site | ||
Content-Security-Policy: frame-ancestors | # Note that this blocks framing from browsers that don't support CSP2+ | ||
Content-Security-Policy: frame-ancestors https://framer.mozilla.org | |||
X-Frame-Options: DENY</pre> | |||
== See Also == | == See Also == | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options] | ||
* [https://www.w3.org/TR/CSP2/#directive-frame-ancestors CSP standard on 'frame-ancestors'] | |||
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet] | * [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet] | ||
| Line 722: | Line 728: | ||
| style="padding-left: .5em; text-align: left;" | November, 2016 | | style="padding-left: .5em; text-align: left;" | November, 2016 | ||
| align="center" | April | | align="center" | April | ||
| style="padding-left: .5em;" | Added Referrer Policy | | style="padding-left: .5em;" | Added Referrer Policy, tidied up XFO examples | ||
|- | |- | ||
| style="padding-left: .5em; text-align: left;" | October, 2016 | | style="padding-left: .5em; text-align: left;" | October, 2016 | ||