|
|
| Line 26: |
Line 26: |
| <li>[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]</li> | | <li>[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]</li> |
| <li>[[#CSRF Prevention|7 CSRF Prevention]]</li> | | <li>[[#CSRF Prevention|7 CSRF Prevention]]</li> |
| <li>[[#Referrer Policy|8 Referrer Policy]]</li>
| | <li>[[#robots.txt|8 robots.txt]]</li> |
| <li>[[#robots.txt|9 robots.txt]]</li> | | <li>[[#Subresource Integrity|9 Subresource Integrity]]</li> |
| <li>[[#Subresource Integrity|10 Subresource Integrity]]</li> | | <li>[[#X-Content-Type-Options|10 X-Content-Type-Options]]</li> |
| <li>[[#X-Content-Type-Options|11 X-Content-Type-Options]]</li> | | <li>[[#X-Frame-Options|11 X-Frame-Options]]</li> |
| <li>[[#X-Frame-Options|12 X-Frame-Options]]</li> | | <li>[[#X-XSS-Protection|12 X-XSS-Protection]]</li> |
| <li>[[#X-XSS-Protection|13 X-XSS-Protection]]</li> | | <li>[[#Version History|13 Version History]]</li> |
| <li>[[#Version History|14 Version History]]</li> | |
| </ul> | | </ul> |
| </div> | | </div> |
| Line 139: |
Line 138: |
| | Varies | | | Varies |
| | Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation | | | Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation |
| |- style="background-color: #ffffff;"
| |
| | data-sort-value="11" | [[#Referrer Policy|<span style="color: black;">Referrer Policy</span>]]
| |
| | data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span>
| |
| | data-sort-value="99" style="text-align: center;" | <span style="background-color: #ffffff; border: solid 1px #aaaaaa; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Unknown</span>
| |
| | style="text-align: center;" | 6
| |
| | Recommended for all websites
| |
| | Improves privacy for users, prevents leaking of internal URLs via Referer
| |
| |- style="background-color: #ffffff;" | | |- style="background-color: #ffffff;" |
| | data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]] | | | data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]] |
| Line 302: |
Line 294: |
| * [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning] | | * [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning] |
| * [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins | | * [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins |
| | |
|
| |
|
| == Resource Loading == | | == Resource Loading == |
| Line 543: |
Line 536: |
| * [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention] | | * [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention] |
| * [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet] | | * [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet] |
|
| |
|
| |
| = Referrer Policy =
| |
|
| |
| When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform these sites of the origin of the requests through the use of the HTTP <tt>Referer</tt> (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk. HTTP Referrer Policy is an HTTP header and <meta> tag that allows sites to have fine-grained control over how browsers use the HTTP <tt>Referer</tt> header. For example, if a page at https://example.com/page.html contains this file <pre><img src="https://not.example.com/image.jpg"></tt>, then the browser will send a request like this:
| |
|
| |
| <pre>GET /image/jpg HTTP/1.1
| |
| Host: not.example.com
| |
| Referer: https://example.com/page.html
| |
|
| |
| To reduce the exposure of this information, it is recommended that websites use HTTP Referrer Policy to either eliminate the Referer header entirely, or reduce the amount of information that it contains.
| |
|
| |
| == Directives ==
| |
|
| |
| <tt>no-referrer</tt>: never send the Referrer header
| |
| <tt>same-origin</tt>: send referrer, but only on requests to the same origin
| |
| <tt>strict-origin</tt>: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)
| |
| <tt>strict-origin-when-cross-origin</tt>: send full referrer on same origin, URL sans path on foreign origin
| |
|
| |
| == Notes ==
| |
|
| |
| There are many additional options for referrer policies, but they do not protect user privacy in the same way as the options above. <tt>no-referrer-when-downgrade</tt> is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.
| |
|
| |
| Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports <tt>no-referrer</tt> from the options above, and Firefox awaits full support with Firefox 52.
| |
|
| |
| == Examples ==
| |
|
| |
| <pre># On example.com, only send the Referer header when loading or linking to other example.com resources
| |
| Referrer-Policy: same-origin
| |
|
| |
| # Only send the shortened referrer to a foreign origin, full referrer to a local host
| |
| Referrer-Policy: strict-origin-when-cross-origin
| |
|
| |
| # Do the same, but with a meta tag
| |
| <meta http-equiv="Referrer-Policy" content="strict-origin-when-cross-origin">
| |
|
| |
| # Do the same, but only for a single link
| |
| <a href="https://mozilla.org/" referrerpolicy="strict-origin-when-cross-origin"></pre>
| |
|
| |
| == See Also ==
| |
| * [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]
| |
| * [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]
| |
|
| |
|
|
| |
|
| Line 715: |
Line 666: |
| ! scope="col" style="width: 6em;" | Editor | | ! scope="col" style="width: 6em;" | Editor |
| ! Changes | | ! Changes |
| |-
| |
| | style="padding-left: .5em; text-align: left;" | October, 2016
| |
| | align="center" | April
| |
| | style="padding-left: .5em;" | Added Referrer Policy
| |
| |- | | |- |
| | style="padding-left: .5em; text-align: left;" | October, 2016 | | | style="padding-left: .5em; text-align: left;" | October, 2016 |