MozillaWiki

Security/Guidelines/Web Security: Difference between revisions

Page Discussion

Security/Guidelines/Web Security (view source)

Revision as of 22:38, 19 October 2017

6,984 bytes added ,  19 October 2017
Automated sync from https://github.com/mozilla/wikimo_content
(Automated sync from https://github.com/mozilla/wikimo_opsec)
 
(Automated sync from https://github.com/mozilla/wikimo_content)
 
(16 intermediate revisions by 5 users not shown)
Line 26: Line 26:
             <li>[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]</li>
             <li>[[#Cross-origin Resource Sharing|6 Cross-origin Resource Sharing]]</li>
             <li>[[#CSRF Prevention|7 CSRF Prevention]]</li>
             <li>[[#CSRF Prevention|7 CSRF Prevention]]</li>
             <li>[[#robots.txt|8 robots.txt]]</li>
            <li>[[#Referrer Policy|8 Referrer Policy]]</li>
             <li>[[#Subresource Integrity|9 Subresource Integrity]]</li>
             <li>[[#robots.txt|9 robots.txt]]</li>
             <li>[[#X-Content-Type-Options|10 X-Content-Type-Options]]</li>
             <li>[[#Subresource Integrity|10 Subresource Integrity]]</li>
             <li>[[#X-Frame-Options|11 X-Frame-Options]]</li>
             <li>[[#X-Content-Type-Options|11 X-Content-Type-Options]]</li>
             <li>[[#X-XSS-Protection|12 X-XSS-Protection]]</li>
             <li>[[#X-Frame-Options|12 X-Frame-Options]]</li>
             <li>[[#Version History|13 Version History]]</li>
             <li>[[#X-XSS-Protection|13 X-XSS-Protection]]</li>
             <li>[[#Version History|14 Version History]]</li>
           </ul>
           </ul>
         </div>
         </div>
Line 138: Line 139:
| Varies
| Varies
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation
| Mandatory for websites that allow destructive changes<br>Unnecessary for all other websites<br>Most application frameworks have built-in CSRF tokenization to ease implementation
|- style="background-color: #ffffff;"
| data-sort-value="11" | [[#Referrer Policy|<span style="color: black;">Referrer Policy</span>]]
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span>
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span>
| style="text-align: center;" | 12
| Recommended for all websites
| Improves privacy for users, prevents the leaking of internal URLs via <tt>Referer</tt> header
|- style="background-color: #ffffff;"
|- style="background-color: #ffffff;"
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]]
| data-sort-value="12" | [[#robots.txt|<span style="color: black;">robots.txt</span>]]
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span>
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span>
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span>
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span>
| style="text-align: center;" | 13
| style="text-align: center;" | 14
| Optional
| Optional
| Websites that implement robots.txt must use it only for noted purposes
| Websites that implement robots.txt must use it only for noted purposes
Line 149: Line 157:
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span>
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span>
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span>
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span>
| style="text-align: center;" | 14
| style="text-align: center;" | 15
| Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup>
| Recommended<sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup>
| <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup> Only for websites that load JavaScript or stylesheets from foreign origins
| <sup style="font-size: .8em; position: relative; top: -.4em; vertical-align: baseline;">&Dagger;</sup> Only for websites that load JavaScript or stylesheets from foreign origins
Line 170: Line 178:
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span>
| data-sort-value="1" style="text-align: center;" | <span style="background-color: #cccccc; border-radius: .25em; color: #000000; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Low</span>
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span>
| data-sort-value="2" style="text-align: center;" | <span style="background-color: #4a6785; border-radius: .25em; color: #ffffff; display: inline-block; font-weight: bold; margin: .1em 0; min-width: 6em; padding: .05em .5em; text-transform: uppercase; text-align: center;">Medium</span>
| style="text-align: center;" | 12
| style="text-align: center;" | 13
| Mandatory for all new websites<br>Recommended for existing websites
| Mandatory for all new websites<br>Recommended for existing websites
| Manual testing should be done for existing websites, prior to implementation
| Manual testing should be done for existing websites, prior to implementation
Line 227: Line 235:
* <tt>max-age:</tt> how long user agents will redirect to HTTPS, in seconds
* <tt>max-age:</tt> how long user agents will redirect to HTTPS, in seconds
* <tt>includeSubDomains:</tt> whether user agents should upgrade requests on subdomains
* <tt>includeSubDomains:</tt> whether user agents should upgrade requests on subdomains
* <tt>preload:</tt> whether the site should be included in the [https://hstspreload.appspot.com/ HSTS preload list]
* <tt>preload:</tt> whether the site should be included in the [https://hstspreload.org/ HSTS preload list]


<tt>max-age</tt> must be set to a minimum of six months (15768000), but longer periods such as one year (31536000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.
<tt>max-age</tt> must be set to a minimum of six months (15768000), but longer periods such as two years (63072000) are recommended.  Note that once this value is set, the site must continue to support HTTPS until the expiry time has been reached.


<tt>includeSubDomains</tt> notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting <tt>includeSubDomains</tt> on <tt>domain.mozilla.com</tt> will also set it on <tt>host1.domain.mozilla.com</tt> and <tt>host2.domain.mozilla.com</tt>. Extreme care is needed when setting the <tt>includeSubDomains</tt> flag, as it could disable sites on subdomains that don't yet have HTTPS enabled.
<tt>includeSubDomains</tt> notifies the browser that all subdomains of the current origin should also be upgraded via HSTS.  For example, setting <tt>includeSubDomains</tt> on <tt>domain.mozilla.com</tt> will also set it on <tt>host1.domain.mozilla.com</tt> and <tt>host2.domain.mozilla.com</tt>. Extreme care is needed when setting the <tt>includeSubDomains</tt> flag, as it could disable sites on subdomains that don't yet have HTTPS enabled.


<tt>preload</tt> allows the website to be included in the [https://hstspreload.appspot.com/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that <tt>includeSubDomains</tt> also be set.
<tt>preload</tt> allows the website to be included in the [https://hstspreload.org/ HSTS preload list], upon submission. As a result, web browsers will do HTTPS upgrades to the site without ever having to receive the initial HSTS header.  This prevents downgrade attacks upon first use and is recommended for all high risk websites.  Note that being included in the HSTS preload list requires that <tt>includeSubDomains</tt> also be set.


=== Examples ===
=== Examples ===


<pre># Only connect to this site via HTTPS for the next year (recommended)
<pre># Only connect to this site via HTTPS for the two years (recommended)
Strict-Transport-Security: max-age=31536000</pre>
Strict-Transport-Security: max-age=63072000</pre>


<pre># Only connect to this site and subdomains via HTTPS for the next year and also include in the preload list
<pre># Only connect to this site and subdomains via HTTPS for the next two years and also include in the preload list
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload</pre>
Strict-Transport-Security: max-age=63072000; includeSubDomains; preload</pre>


=== See Also ===
=== See Also ===
Line 294: Line 302:
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]
* [https://noncombatant.org/2015/05/01/about-http-public-key-pinning/ About Public Key Pinning]
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins
* [https://scotthelme.co.uk/hpkp-toolset/ The HPKP Toolset] - helpful tools for generating key pins


== Resource Loading ==
== Resource Loading ==
Line 330: Line 337:
* Aiming for <tt>default-src: https:</tt> is a great first goal, as it disables inline code and requires https.
* Aiming for <tt>default-src: https:</tt> is a great first goal, as it disables inline code and requires https.
* For existing websites with large codebases that would require too much work to disable inline scripts, <tt>default-src: https: 'unsafe-inline'</tt> is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.
* For existing websites with large codebases that would require too much work to disable inline scripts, <tt>default-src: https: 'unsafe-inline'</tt> is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection.
* Sites that want to go further are recommended to start with a reasonably locked down policy such as <tt>default-src 'none'; connect-src 'self'; img-src 'self'; script-src 'self'; style-src 'self'</tt> and then add in remote sources as revealed during testing.
* It is recommended to start with a reasonably locked down policy such as <tt>default-src 'none'; img-src 'self'; script-src 'self'; style-src 'self'</tt> and then add in sources as revealed during testing.
* In lieu of the preferred HTTP header, pages can instead include a <tt>&lt;meta http-equiv="Content-Security-Policy" content="&hellip;"&gt;</tt> tag. If they do, it should be the first <tt>&lt;meta&gt;</tt> tag that appears inside <tt>&lt;head&gt;</tt>.
* In lieu of the preferred HTTP header, pages can instead include a <tt>&lt;meta http-equiv="Content-Security-Policy" content="&hellip;"&gt;</tt> tag. If they do, it should be the first <tt>&lt;meta&gt;</tt> tag that appears inside <tt>&lt;head&gt;</tt>.
* Care needs to be taken with <tt>blob:</tt> and <tt>data:</tt> URIs, as these are not covered by 'self' and need to be included in the CSP declaration
* Care needs to be taken with <tt>data:</tt> URIs, as these are unsafe inside <tt>script-src</tt> and <tt>object-src</tt> (or inherited from <tt>default-src</tt>).
* Similarly, the use of <tt>script-src 'self'</tt> can be unsafe for sites with JSONP endpoints. These sites should use a <tt>script-src</tt> that includes the path to their JavaScript source folder(s).
* Unless sites need the ability to execute plugins such as Flash or Silverlight, they should disable their execution with <tt>object-src 'none'</tt>.
* Sites should ideally use the <tt>report-uri</tt> directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.
* Sites should ideally use the <tt>report-uri</tt> directive, which POSTs JSON reports about CSP violations that do occur. This allows CSP violations to be caught and repaired quickly.
* Prior to implementation, it is recommended to use the <tt>Content-Security-Policy-Report-Only</tt> HTTP header, to see if any violations would have occured with that policy.
* Prior to implementation, it is recommended to use the <tt>Content-Security-Policy-Report-Only</tt> HTTP header, to see if any violations would have occured with that policy.
Line 338: Line 347:
== Examples ==
== Examples ==


<pre># Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https (recommended)
<pre># Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https
# Note that this does not provide any XSS protection
Content-Security-Policy: default-src https:</pre>
Content-Security-Policy: default-src https:</pre>


Line 344: Line 354:
<meta http-equiv="Content-Security-Policy" content="default-src https:"></pre>
<meta http-equiv="Content-Security-Policy" content="default-src https:"></pre>


<pre># Disable the use of unsafe inline/eval, allow everything else
<pre># Disable the use of unsafe inline/eval, allow everything else except plugin execution
Content-Security-Policy: *</pre>
Content-Security-Policy: default-src *; object-src 'none'</pre>


<pre># Disable unsafe inline/eval, only load resources from same origin, except also allow images on imgur
<pre># Disable unsafe inline/eval, only load resources from same origin except also allow images from imgur
Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com</pre>
# Also disables the execution of plugins
Content-Security-Policy: default-src 'self'; img-src 'self' https://i.imgur.com; object-src 'none'</pre>


<pre># Disable unsafe inline/eval, only load resources from same origin, fonts from google, images from same origin and imgur
<pre># Disable unsafe inline/eval and plugins, only load scripts and stylesheets from same origin, fonts from google,
Content-Security-Policy: default-src 'self'; font-src 'https://fonts.googleapis.com'; img-src 'self' https://i.imgur.com</pre>
# and images from same origin and imgur. Sites should aim for policies like this.
Content-Security-Policy: default-src 'none'; font-src 'https://fonts.googleapis.com';
                            img-src 'self' https://i.imgur.com; object-src 'none'; script-src 'self'; style-src 'self'</pre>


<pre># Pre-existing site uses too much inline code to fix, but wants to ensure resources are loaded only over https
<pre># Pre-existing site that uses too much inline code to fix
Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'</pre>
# but wants to ensure resources are loaded only over https and disable plugins
Content-Security-Policy: default-src https: 'unsafe-eval' 'unsafe-inline'; object-src 'none'</pre>


<pre># Don't implement the above policy yet; instead just report violations that would have occured
<pre># Don't implement the above policy yet; instead just report violations that would have occured
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/</pre>
Content-Security-Policy-Report-Only: default-src https:; report-uri /csp-violation-report-endpoint/</pre>
<pre># Disable the loading of any resources and disable framing, recommended for APIs to use
Content-Security-Policy: default-src 'none'; frame-ancestors 'none'</pre>


== See Also ==
== See Also ==
Line 363: Line 380:
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]
* [http://www.html5rocks.com/en/tutorials/security/content-security-policy/ An Introduction to Content Security Policy]
* [http://www.cspplayground.com/ Content Security Policy Playground]
* [http://www.cspplayground.com/ Content Security Policy Playground]
* [http://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]
* [https://www.w3.org/TR/CSP2/ Content Security Policy Level 2 Standard]
 
* [https://csp-evaluator.withgoogle.com/ Google CSP Evaluator]
* [[#X-Frame-Options|Using the frame-ancestors directive to prevent framing]]


= contribute.json =
= contribute.json =
Line 370: Line 388:
<tt>contribute.json</tt> is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  <tt>contribute.json</tt> is a Mozilla standard used to describe all active Mozilla websites and projects.
<tt>contribute.json</tt> is a text file placed within the root directory of a website that describes what it is, where its source exists, what technologies it uses, and how to reach support and contribute.  <tt>contribute.json</tt> is a Mozilla standard used to describe all active Mozilla websites and projects.


Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists with helping security researchers find testable of websites and instructs them on where where in Bugzilla to file their bugs against. As such, <tt>contribute.json</tt> is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.
Its existence can greatly speed up the process of bug triage, particularly for smaller websites with just a handful of maintainers. It further assists security researchers to find testable websites and instructs them on where to file their bugs against. As such, <tt>contribute.json</tt> is mandatory for all Mozilla websites, and must be maintained as contributors join and depart projects.


Require subkeys include <tt>name</tt>, <tt>description</tt>, <tt>bugs</tt>, <tt>participate</tt> (particularly <tt>irc</tt> and <tt>irc-clients</tt>), and <tt>urls</tt>.
Require subkeys include <tt>name</tt>, <tt>description</tt>, <tt>bugs</tt>, <tt>participate</tt> (particularly <tt>irc</tt> and <tt>irc-contacts</tt>), and <tt>urls</tt>.


== Examples ==
== Examples ==
Line 420: Line 438:


* [https://www.contributejson.org/ The contribute.json Standard]
* [https://www.contributejson.org/ The contribute.json Standard]


= Cookies =
= Cookies =
Line 428: Line 445:
== Directives ==
== Directives ==


* Name: Cookie names may be either be prepended with either <tt>__Secure-</tt> or <tt>__Host-</tt> to prevent cookies from being overwritten by insecure sources
** Use <tt>__Host-</tt> for all cookies needed only on a specific domain (no subdomains) where <tt>Path</tt> is set to <tt>/</tt>
** Use <tt>__Secure-</tt> for all other cookies sent from secure origins (such as HTTPS)
* <tt>Secure</tt>: All cookies must be set with the <tt>Secure</tt> flag, indicating that they should only be sent over HTTPS
* <tt>Secure</tt>: All cookies must be set with the <tt>Secure</tt> flag, indicating that they should only be sent over HTTPS
* <tt>HttpOnly:</tt> Cookies that don't require access from JavaScript should be set with the <tt>HttpOnly</tt> flag
* <tt>HttpOnly:</tt> Cookies that don't require access from JavaScript should be set with the <tt>HttpOnly</tt> flag
Line 435: Line 455:
* <tt>Domain:</tt> Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible
* <tt>Domain:</tt> Cookies should only be set with this if they need to be accessible on other domains, and should be set to the most restrictive domain possible
* <tt>Path:</tt> Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory
* <tt>Path:</tt> Cookies should be set to the most restrictive path possible, but for most applications this will be set to the root directory
== Experimental Directives ==
* Name: Cookie names may be either be prepended with either <tt>__Secure-</tt> or <tt>__Host-</tt> to prevent cookies from being overwritten by insecure sources
** Use <tt>__Host-</tt> for all cookies set to an individual host (no Domain parameter) and with no Path parameter
** Use <tt>__Secure-</tt> for all other cookies


== Examples ==
== Examples ==
Line 456: Line 470:


* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]
* [https://tools.ietf.org/html/rfc6265 RFC 6265 (HTTP Cookies)]
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes (Experimental)]
* [https://tools.ietf.org/html/draft-west-cookie-prefixes HTTP Cookie Prefixes]




Line 527: Line 541:
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]
* [https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention Wikipedia on CRSF Attacks and Prevention]
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]
* [https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet OWASP CSRF Prevention Cheat Sheet]
= Referrer Policy =
When a user navigates to a site via a hyperlink or a website loads an external resource, browsers inform the destination site of the origin of the requests through the use of the HTTP <tt>Referer</tt> (sic) header. Although this can be useful for a variety of purposes, it can also place the privacy of users at risk.  HTTP Referrer Policy allows sites to have fine-grained control over how and when browsers transmit the HTTP <tt>Referer</tt> header.
In normal operation, if a page at https://example.com/page.html contains <tt><nowiki>&lt;img src="https://not.example.com/image.jpg"&gt;</nowiki></tt>, then the browser will send a request like this:
<pre>GET /image.jpg HTTP/1.1
Host: not.example.com
Referer: https://example.com/page.html</pre>
In addition to the privacy risks that this entails, the browser may also transmit internal-use-only URLs that it may not have intended to reveal. If you as the site operator want to limit the exposure of this information, you can use HTTP Referrer Policy to either eliminate the <tt>Referer</tt> header or reduce the amount of information that it contains.
== Directives ==
* <tt>no-referrer</tt>: never send the <tt>Referer</tt> header
* <tt>same-origin</tt>: send referrer, but only on requests to the same origin
* <tt>strict-origin</tt>: send referrer to all origins, but only the URL sans path (e.g. https://example.com/)
* <tt>strict-origin-when-cross-origin</tt>: send full referrer on same origin, URL sans path on foreign origin
== Notes ==
Although there are other options for referrer policies, they do not protect user privacy and limit exposure in the same way as the options above.
<tt>no-referrer-when-downgrade</tt> is the default behavior for all current browsers, and can be used when sites are concerned about breaking existing systems that rely on the full Referrer header for their operation.
Please note that support for Referrer Policy is still in its infancy. Chrome currently only supports <tt>no-referrer</tt> from the directives above, and Firefox awaits full support with Firefox 52.
== Examples ==
<pre># On example.com, only send the Referer header when loading or linking to other example.com resources
Referrer-Policy: same-origin
# Only send the shortened referrer to a foreign origin, full referrer to a local host
Referrer-Policy: strict-origin-when-cross-origin
# Disable referrers for browsers that don't support strict-origin-when-cross-origin
# Uses strict-origin-when-cross-origin for browsers that do
Referrer-Policy: no-referrer, strict-origin-when-cross-origin
# Do the same, but with a meta tag
&lt;meta http-equiv="Referrer-Policy" content="no-referrer, strict-origin-when-cross-origin"&gt;
# Do the same, but only for a single link
&lt;a href="https://mozilla.org/" referrerpolicy="no-referrer, strict-origin-when-cross-origin"&gt;</pre>
== See Also ==
* [https://w3c.github.io/webappsec-referrer-policy/#referrer-policy-same-origin Referrer Policy standard]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy MDN on Referrer Policy]




Line 592: Line 656:
= X-Content-Type-Options =
= X-Content-Type-Options =


<tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer and Chrome that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the <tt>X-Content-Type-Options</tt> header and the appropriate MIME types for files that they serve.
<tt>X-Content-Type-Options</tt> is a header supported by Internet Explorer, Chrome and Firefox 50+ that tells it not to load scripts and stylesheets unless the server indicates the correct MIME type. Without this header, these browsers can incorrectly detect files as scripts and stylesheets, leading to XSS attacks. As such, all sites must set the <tt>X-Content-Type-Options</tt> header and the appropriate MIME types for files that they serve.


== Examples ==
== Examples ==


<pre># Prevent IE and Chrome from incorrectly detecting non-scripts as scripts
<pre># Prevent browsers from incorrectly detecting non-scripts as scripts
X-Content-Type-Options: nosniff</pre>
X-Content-Type-Options: nosniff</pre>


Line 603: Line 667:
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]
* [https://msdn.microsoft.com/en-us/library/gg622941%28v=vs.85%29.aspx Microsoft on Reducing MIME Type Security Risks]


= X-Frame-Options =


= X-Frame-Options =
<tt>X-Frame-Options</tt> is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to not be on your site at all. As such, the use of the <tt>X-Frame-Options</tt> header is mandatory for all new websites, and all existing websites are expected to add support for <tt>X-Frame-Options</tt> as soon as possible.


<tt>X-Frame-Options</tt> is an HTTP header that allows sites control over how your site may be framed within an iframe. Clickjacking is a practical attack that allows malicious sites to trick users into clicking links on your site even though they may appear to be something else entirely. As such, the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as soon as possible.
Note that <tt>X-Frame-Options</tt> has been superceded by the Content Security Policy's <tt>frame-ancestors</tt> directive, which allows considerably more granular control over the origins allowed to frame a site. As <tt>frame-ancestors</tt> is not yet supported in IE11 and older, Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is recommended that sites employ <tt>X-Frame-Options</tt> in addition to using CSP.


Sites that require the ability to be iframed must either use the <tt>ALLOW-FROM</tt> directive or employ JavaScript defenses to prevent clickjacking from malicious origins.
Sites that require the ability to be iframed must use either Content Security Policy and/or employ JavaScript defenses to prevent clickjacking from malicious origins.


== Directives ==
== Directives ==
Line 614: Line 679:
* <tt>DENY</tt>: disallow allow attempts to iframe site (recommended)
* <tt>DENY</tt>: disallow allow attempts to iframe site (recommended)
* <tt>SAMEORIGIN</tt>: allow the site to iframe itself
* <tt>SAMEORIGIN</tt>: allow the site to iframe itself
* <tt>ALLOW-FROM <em>uri</em></tt>: allow <em>uri</em> to iframe site (not supported in Chrome and Safari)
* <tt>ALLOW-FROM <em>uri</em></tt>: deprecated; instead use CSP's <tt>frame-ancestors</tt> directive


== Examples ==
== Examples ==


<pre># Block site from being iframed
<pre># Block site from being framed with X-Frame-Options and CSP
Content-Security-Policy: frame-ancestors 'none'
X-Frame-Options: DENY</pre>
X-Frame-Options: DENY</pre>


<pre># Only allow my site to frame itself
<pre># Only allow my site to frame itself
Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: SAMEORIGIN</pre>
X-Frame-Options: SAMEORIGIN</pre>
<pre># Allow only framer.mozilla.org to frame site
# Note that this blocks framing from browsers that don't support CSP2+
Content-Security-Policy: frame-ancestors https://framer.mozilla.org
X-Frame-Options: DENY</pre>


== See Also ==
== See Also ==


* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]
* [https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options MDN on X-Frame-Options]
* [https://www.w3.org/TR/CSP2/#directive-frame-ancestors CSP standard on 'frame-ancestors']
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]
* [https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet OWASP Clickjacking Defense Cheat Sheet]


Line 632: Line 705:
= X-XSS-Protection =
= X-XSS-Protection =


<tt>X-XSS-Protection</tt> is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. New sites should use this header, but it is only recommended for existing sites, given the small but possible risk of false positives.
<tt>X-XSS-Protection</tt> is a feature of Internet Explorer and Chrome that stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. Although these protections are largely unnecessary in modern browsers when sites implement a strong Content Security Policy that disables the use of inline JavaScript (<tt>'unsafe-inline'</tt>), they can still provide protections for users of older web browsers that don't yet support CSP.
 
New websites should use this header, but given the small risk of false positives, it is only recommended for existing sites. This header is unnecessary for APIs, which should instead simply return a restrictive Content Security Policy header.


== Examples ==
== Examples ==
Line 645: Line 720:
{| class="wikitable" style="width: 100%;"
{| class="wikitable" style="width: 100%;"
|-
|-
! scope="col" style="width: 6em;" | Version
! scope="col" style="width: 8em;" | Date
! scope="col" style="width: 6em;" | Editor
! scope="col" style="width: 6em;" | Editor
! Changes
! Changes
|-
|-
| align="center" | 1.0
| style="padding-left: .5em; text-align: left;" | June, 2017
| align="center" | April
| style="padding-left: .5em;" | Moved cookie prefixes to no longer be experimental
|-
| style="padding-left: .5em; text-align: left;" | November, 2016
| align="center" | April
| style="padding-left: .5em;" | Added Referrer Policy, tidied up XFO examples
|-
| style="padding-left: .5em; text-align: left;" | October, 2016
| align="center" | April
| style="padding-left: .5em;" | Updates to CSP recommendations
|-
| style="padding-left: .5em; text-align: left;" | July, 2016
| align="center" | April
| style="padding-left: .5em;" | Updates to CSP for APIs, and CSP's deprecation of XFO, and XXSSP
|-
| style="padding-left: .5em; text-align: left;" | February, 2016
| align="center" | April
| align="center" | April
| Initial document creation
| style="padding-left: .5em;" | Initial document creation
|}
|}
Gdestuynder
Confirmed users
502

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1119153...1182557"