Ryan Armstrong
Ryan Armstrong
@tghosth > do the COOP and COEP response headers definitely prevent the same thing as the rel=noopener attribute. Should this be one requirement or two? Yes, but only the COOP...
@elarlang Recommending closing this issue for these reasons: - Tabnabbing is mitigated by the browsers by default with high and increasing (over time) support - There is insufficient evidence of...
> Do you know of any modern app that actually stores them in Session Storage, and how that app maintains sessions with new tabs? @Tib3rius I have encountered several apps...
Is it too late for community comments on this one?
Thanks @elarlang @tghosth, I'll add some thoughts to consider: 1. It was noted that CSP violation logs are fundamentally different than server-side logs as the violation logs are initiated by...
Thanks @ScottHelme for the comment and Twitter discussion. I will first add my overall thoughts on implementing violation reporting as I failed to in my initial comment: I do think...
@elarlang I agree and I think it makes the most sense to approach by vector. As far as Attack Vectors, I would just expand "JavaScript execution" to a more general...
Good point. There is no CSP feature to prevent modification of HTML content, but it can prevent actions like the submission of forms to untrusted origins via HTML form hijacking....
Reopening to suggest an update (following discussion): | # | Description | L1 | L2 | L3 | CWE | [NIST §](https://pages.nist.gov/800-63-3/sp800-63b.html) | | :---: | :--- | :---: |...
The requirement can be generalized beyond sessions. Consider 3.1.3: > Verify that the application uses either cryptographically secured or random session tokens for session management. Static API secrets and keys...