Josh Grossman
Josh Grossman
Maybe the answer is applications with separate session mechanisms should be on different origins? If I understand correctly, the problem is that XSS on 1 app will affect apps 2...
> What I think @tghosth was trying to say is that https://example.com/a and https://example.com/b are different applications, if the session cookie used for authentication differs between these pages. Pages that...
Is the benefit from trying to enforce this worth the change. Right now, things seem to work ok with 2 letter codes and we don't have so many translations that...
I agree with Jim's changes, I think entitlements nicely covers both roles and permissions/privileges. @Sjord, do you want to open a separate issues about 1.4.5 if it has not already...
Opened #1375
I am going to try and deal with this at some point because I think it is interesting
hi @jmanico, the suggestions says "providing admin functionality on a separate domain from other users" (assuming we are talking about a web domain like https://admin.example.com). Do you think that is...
@jmanico Minor modification to change "and" to "or": > 4.3.1 Verify administrative interfaces are isolated from the main application **or** only accept connections from trusted endpoints. Examples include using a...
Hi @SPoint42 @Marx314 @inaz0, Thanks so much for your work on this so far! I noticed that the current translation appears to be a bit mixed with one part referring...
Hi @clallier94, have you seen the guidance here: https://github.com/OWASP/ASVS/blob/master/CONTRIBUTING.md#translations Please take a look and let me know if anything is unclear.