esapi-java-legacy icon indicating copy to clipboard operation
esapi-java-legacy copied to clipboard

Published 20 hours ago verified publisher icon ESAPI

Need a new filter for browser security response headers

Open meg23 opened this issue 10 years ago • 7 comments

From [email protected] on November 03, 2010 01:40:58

We need one central filter for security headers (clickjacking headers, XSS header defense, STS and others) http://feedproxy.google.com/~r/typepad/the_security_practice/~3/aMQ-E8zZYk4/the-need-for-coherent-web-security-policy-frameworks.html Let's work out the API first for each header, and then make it work as a global configurable filter.

Attachment: ConfigureBrowserXSSProtectionFilter.java StrictTransportSecurityFilter.java

Original issue: http://code.google.com/p/owasp-esapi-java/issues/detail?id=169

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on November 02, 2010 22:42:36

Issue 167 has been merged into this issue.

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on November 02, 2010 22:43:03

Issue 53 has been merged into this issue.

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on November 02, 2010 22:45:05

Labels: Milestone-Release2.1

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on November 03, 2010 02:43:15

(From Sebastian)

One way to avoid SRP violation would be that you have a Filter called BrowserAidFilter and that calls some classes implementing the interface BrowserAid. And you could make it configurable which BrowserAid is active and users could write their own Aids if they need to. So in a way, you create a browser medicine cabinet. :-)

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on May 28, 2012 20:19:19

Owner: chrisisbeef
Cc: -chrisisbeef

meg23 avatar Nov 13 '14 17:11 meg23

From [email protected] on May 27, 2014 23:55:48

Hi I was looking at this code since I am still using "old" Spring-Security 3.1.3-RELEASE, and there are not yet implemented those filters.

I'm wondering if I got this correctly:

There are two private properties, (lines 63 and 64) boolean enable = true; boolean block = false;

and then another pair of same in init() method (lines 74 and 75)

Then method doFilter() use state of these properties, but since 74 and 75 are local properties it never overrides those from lines 63 and 64.

Am I correct?

Thnx

meg23 avatar Nov 13 '14 17:11 meg23

I just changed this from a Critical priority to a Medium. There are 2 reasons for that. 1) I don't think that ENHANCEMENTS (which this is) should be considered Critical. This was never something that ESAPI promised and therefore is not something that is 'broken' or even insecure in the sense that ESAPI does not provide it. (It is easy enough for an application to add their own JavaEE servlet filter to do this very thing, apart from ESAPI; many have, in fact.) Thus this is a "nice to have", not a "Critical".

Secondly, this issue dates back to 2010 and other than ESAPI developers, I've not heard anyone even ask for it. It was changed to a Critical priority in 2014, probably to try to ensure that it got into the next release (2.1 at the time). But that bus has long since left the station. For that reason, I have changed this to Medium priority and removed the 2.1 milestone.

kwwall avatar Dec 28 '18 18:12 kwwall