Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add advisement on applicability of security policy based on authentication state and resource semantics #8

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Add advisement on applicability of security policy based on authentication state and resource semantics #8

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
005b00f
Add advisement on applicability of security policy based on authentic…
csarven May 31, 2024
29b8326
Update index.bs
csarven Jun 5, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions index.bs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,6 +115,8 @@ The attacker writes a malicious `text/html` file to the server. Depending on the

Servers are strongly encouraged to consider the countermeasures in the context of the use cases they want to enable or disable on a given storage. For instance, using `Content-Security-Policy: sandbox` will universally prohibit various functionalities for applications, including but not limited to accessing local storage, executing scripts, using forms, interacting with plugins, or including external content. This broad range of restrictions may not be desirable for various categories of applications that rely on client-side storage mechanisms, collaborative features, or dynamic content interaction.

Servers are encouraged to check the applicability of security policies based on the user's authentication state as well as resource semantics. Some attacks might only be applicable for authenticated requests, so functionality restrictions could unnecessarily prevent non-affected users from using certain features.
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you give an example?


Comment on lines +118 to +119
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Servers are encouraged to check the applicability of security policies based on the user's authentication state as well as resource semantics. Some attacks might only be applicable for authenticated requests, so functionality restrictions could unnecessarily prevent non-affected users from using certain features.
Servers are encouraged to check the applicability of security policies based on the user's authentication state as well as resource semantics. Some attacks might only be applicable for authenticated requests, so functionality restrictions could unnecessarily prevent non-affected users from using certain features. Servers should therefore focus on applying these countermeasures only to authenticated requests.

### Countermeasures ### {#serving-user-created-files-countermeasures}

* Servers are encouraged to apply security measures when serving user-created files.
Expand Down