Anti-spam team, Confirmed users
99
edits
Security/Guidelines/Web Security: Difference between revisions
Security/Guidelines/Web Security (view source)
Revision as of 23:12, 29 November 2016
, 29 November 2016Automated sync from https://github.com/mozilla/wikimo_opsec
(Automated sync from https://github.com/mozilla/wikimo_opsec) |
(Automated sync from https://github.com/mozilla/wikimo_opsec) |
||
| Line 579: | Line 579: | ||
# Only send the shortened referrer to a foreign origin, full referrer to a local host | # Only send the shortened referrer to a foreign origin, full referrer to a local host | ||
Referrer-Policy: strict-origin-when-cross-origin | Referrer-Policy: strict-origin-when-cross-origin | ||
# Disable referrers for browsers that don't support strict-origin-when-cross-origin | |||
# Uses strict-origin-when-cross-origin for browsers that do | |||
Referrer-Policy: no-referrer, strict-origin-when-cross-origin | |||
# Do the same, but with a meta tag | # Do the same, but with a meta tag | ||
<meta http-equiv="Referrer-Policy" content="strict-origin-when-cross-origin"> | <meta http-equiv="Referrer-Policy" content="no-referrer, strict-origin-when-cross-origin"> | ||
# Do the same, but only for a single link | # Do the same, but only for a single link | ||
<a href="https://mozilla.org/" referrerpolicy="strict-origin-when-cross-origin"></pre> | <a href="https://mozilla.org/" referrerpolicy="no-referrer, strict-origin-when-cross-origin"></pre> | ||
== See Also == | == See Also == | ||
| Line 681: | Line 685: | ||
== Examples == | == Examples == | ||
<pre># Block site from being framed | <pre># Block site from being framed with X-Frame-Options and CSP | ||
Content-Security-Policy: frame-ancestors 'none' | |||
X-Frame-Options: DENY</pre> | X-Frame-Options: DENY</pre> | ||
<pre># Only allow my site to frame itself | <pre># Only allow my site to frame itself | ||
Content-Security-Policy: frame-ancestors 'self' | |||
X-Frame-Options: SAMEORIGIN</pre> | X-Frame-Options: SAMEORIGIN</pre> | ||
<pre># | <pre># Allow only framer.mozilla.org to frame site | ||
Content-Security-Policy: frame-ancestors | # Note that this blocks framing from browsers that don't support CSP2+ | ||
Content-Security-Policy: frame-ancestors https://framer.mozilla.org | |||
X-Frame-Options: DENY</pre> | |||
== See Also == | == See Also == | ||
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options] | * [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options] | ||
* [https://www.w3.org/TR/CSP2/#directive-frame-ancestors CSP standard on 'frame-ancestors'] | |||
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet] | * [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet] | ||
| Line 722: | Line 728: | ||
| style="padding-left: .5em; text-align: left;" | November, 2016 | | style="padding-left: .5em; text-align: left;" | November, 2016 | ||
| align="center" | April | | align="center" | April | ||
| style="padding-left: .5em;" | Added Referrer Policy | | style="padding-left: .5em;" | Added Referrer Policy, tidied up XFO examples | ||
|- | |- | ||
| style="padding-left: .5em; text-align: left;" | October, 2016 | | style="padding-left: .5em; text-align: left;" | October, 2016 | ||