Security/CSP/CSRFModule: Difference between revisions

Jump to navigation Jump to search

Security/CSP/CSRFModule (view source)

Revision as of 17:55, 22 October 2009

19 bytes added ,  22 October 2009
→‎Open Issues
Line 67: Line 67:
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).
**To address this threat, form submission should only be allowed to <tt>self</tt> URIs when <tt>anti-csrf</tt> is enabled (the allowed set of URIs should be made extensible by other policy declarations).
**Link activations are still vulnerable to this attack, however.
**Link activations are still vulnerable to this attack, however.
*The list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.
*The <tt>anti-csrf</tt> list of HTTP requests where <tt>Cookie</tt> header is allowed to be sent must be exhaustive.
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.
*The CSP policy should be allowed to contain URI that are excepted from <tt>anti-csrf</tt> restrictions.
Mtl
35

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/177773"

Navigation menu