David Deatherage
David Deatherage
As suggested in my closed issue https://github.com/OWASP/ASVS/issues/1623, we should have a requirement like the following. This is in agreement with some of above comments. 12.2.x (new) Verify that user-submitted filename...
I suggest the following reshuffle of the sentence: Verify that the contents of each file being accepted by the application are validated to match the expected type, including but not...
Yes, looks good to me.
I cannot find "noopener" nor "noreferrer" in 4.0.3. Is it in 5.0? Is there a generated doc of 5.0 which I can search?
At caniuse.com, "noopener" and "noreferrer" are well supported.
Tested just now on chrome Version 111.0.5563.112 64-bit on Windows 10 and found that either noopener or noreferrer defends from tabnabbing. I agree with you that noopener is the logical...
This is great news that compliant browsers may fix this. However, I would still recommend including rel="noopener" on links supplying a non-blank target. Your reference https://mathiasbynens.github.io/rel-noopener/ recommends as such. Now...
As already stated, I advise including rel="noopener" on links supplying a non-blank target. I think it's a requirement.
Yes, first thing I ask when looking at file upload is what file types are allowed. If not specified, then this is for the product owner/business owner to do. Then...