MozillaWiki

User:Apking/Web Security Guidelines: Difference between revisions

User page Discussion

User:Apking/Web Security Guidelines (view source)

Revision as of 17:38, 23 November 2016

584 bytes added ,  23 November 2016
more tweaks
(formatting)
(more tweaks)
 
(4 intermediate revisions by the same user not shown)
Line 145: Line 145:
| style="text-align: center;" | 12
| style="text-align: center;" | 12
| Recommended for all websites
| Recommended for all websites
| Improves privacy for users, prevents leaking of internal URLs via Referer
| Improves privacy for users, prevents the leaking of internal URLs via <tt>Referer</tt> header
|- style="background-color: #ffffff;"
|- style="background-color: #ffffff;"
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]]
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]]
Line 547: Line 547:
= Referrer Policy =
= Referrer Policy =


When a user navigates to a site via a hyperlink or a webpage includes an external resource, browsers inform these sites of the origin of the requests through the use of the HTTP <tt>Referer</tt> (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy is an HTTP header and &lt;meta&gt; tag that allows sites to have fine-grained control over how browsers use the HTTP <tt>Referer</tt> header. For example, if a page at https://example.com/page.html contains this file <tt>&lt;img src="https://not.example.com/image.jpg"&gt;</tt>, then the browser will send a request like this:
When a user navigates to a site via a hyperlink or a website loads an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP <tt>Referer</tt> (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP <tt>Referer</tt> header.


<pre>GET /image/jpg HTTP/1.1
In normal operation, if a page at https://example.com/page.html contains <tt><nowiki>&lt;img src="https://not.example.com/image.jpg"&gt;</nowiki></tt>, then the browser will send a request like this:
 
<pre>GET /image.jpg HTTP/1.1
Host: not.example.com
Host: not.example.com
Referer: https://example.com/page.html
Referer: https://example.com/page.html</pre>


To reduce the exposure of this information, it is recommended that websites use HTTP Referrer Policy to either eliminate the Referer header entirely, or reduce the amount of information that it contains.
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. If you as the site operator want to limit the exposure of this information, you can use HTTP Referrer Policy to either eliminate the <tt>Referer</tt> header or reduce the amount of information that it contains.


== Directives ==
== Directives ==


<tt>no-referrer</tt>: never send the Referrer header
* <tt>no-referrer</tt>: never send the <tt>Referer</tt> header
<tt>same-origin</tt>: send referrer, but only on requests to the same origin
* <tt>same-origin</tt>: send referrer, but only on requests to the same origin
<tt>strict-origin</tt>: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)
* <tt>strict-origin</tt>: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)
<tt>strict-origin-when-cross-origin</tt>: send full referrer on same origin, URL sans path on foreign origin
* <tt>strict-origin-when-cross-origin</tt>: send full referrer on same origin, URL sans path on foreign origin


== Notes ==
== Notes ==


There are many additional options for referrer policies, but they do not protect user privacy in the same way as the options above. <tt>no-referrer-when-downgrade</tt> is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above.


Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports <tt>no-referrer</tt> from the options above, and Firefox awaits full support with Firefox 52.
<tt>no-referrer-when-downgrade</tt> is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.
 
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports <tt>no-referrer</tt> from the directives above, and Firefox awaits full support with Firefox 52.


== Examples ==
== Examples ==
Line 575: Line 579:
# Only send the shortened referrer to a foreign origin, full referrer to a local host
# Only send the shortened referrer to a foreign origin, full referrer to a local host
Referrer-Policy: strict-origin-when-cross-origin
Referrer-Policy: strict-origin-when-cross-origin
# Disable referrers for browsers that don't support strict-origin-when-cross-origin
# Uses strict-origin-when-cross-origin for browsers that do
Referrer-Policy: no-referrer, strict-origin-when-cross-origin


# Do the same, but with a meta tag
# Do the same, but with a meta tag
&lt;meta http-equiv="Referrer-Policy" content="strict-origin-when-cross-origin"&gt;
&lt;meta http-equiv="Referrer-Policy" content="no-referrer, strict-origin-when-cross-origin"&gt;


# Do the same, but only for a single link
# Do the same, but only for a single link
&lt;a href="https://mozilla.org/" referrerpolicy="strict-origin-when-cross-origin"&gt;</pre>
&lt;a href="https://mozilla.org/" referrerpolicy="no-referrer, strict-origin-when-cross-origin"&gt;</pre>


== See Also ==
== See Also ==
Line 677: Line 685:
== Examples ==
== Examples ==


<pre># Block site from being framed
<pre># Block site from being framed with X-Frame-Options and CSP
Content-Security-Policy: frame-ancestors 'none'
X-Frame-Options: DENY</pre>
X-Frame-Options: DENY</pre>
<pre># Do the same thing, but with Content Security Policy
Content-Security-Policy: frame-ancestors 'none'</pre>


<pre># Only allow my site to frame itself
<pre># Only allow my site to frame itself
Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: SAMEORIGIN</pre>
X-Frame-Options: SAMEORIGIN</pre>


<pre># Do the same thing, but with Content Security Policy, and also allow frame-you.mozilla.org to frame the site
<pre># Allow only framer.mozilla.org to frame site
Content-Security-Policy: frame-ancestors 'self' https://frame-you.mozilla.org</pre>
# Note that this blocks framing from browsers that don't support CSP2+
Content-Security-Policy: frame-ancestors https://framer.mozilla.org
X-Frame-Options: DENY</pre>


== See Also ==
== See Also ==


* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]
* [https://www.w3.org/TR/CSP2/#directive-frame-ancestors CSP standard on 'frame-ancestors']
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]


Line 716: Line 726:
! Changes
! Changes
|-
|-
| style="padding-left: .5em; text-align: left;" | October, 2016
| style="padding-left: .5em; text-align: left;" | November, 2016
| align="center" | April
| align="center" | April
| style="padding-left: .5em;" | Added Referrer Policy
| style="padding-left: .5em;" | Added Referrer Policy, tidied up XFO examples
|-
|-
| style="padding-left: .5em; text-align: left;" | October, 2016
| style="padding-left: .5em; text-align: left;" | October, 2016
Apking
Anti-spam team, Confirmed users
99

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1152949...1155674"