Josh Grossman
Josh Grossman
Not sure we have ever had any guidance there so I am open to suggestions. I think it would be good to have some brief text at the start of...
@EnigmaRosa does the split which @elarlang proposed make sense to you?
I think we will move these around next week when we finalize the requirements during the summit, thanks!
Thanks for the ping @EnigmaRosa, I think it would be good to reword the proposed requirement around deny by default. Do you think it could be made into a merge...
Minor tweak but otherwise sounds good :) "_Verify that every object is addressed by at least one access control policy. When an object lacks an access control policy, access to...
So I think 4.1.3 is looking at how permissions are assigned to users and the proposed requirement is looking at how access controls are assigned to resources. I think these...
> > I wonder whether 4.2.1 should be merged into 4.1.3 though? > > I prefer not, since IDOR is a really specific issue that I'd like to see directly...
If we want to keep it, do we have a proposal for alternative wording?
Ok, I think the 4.1.3 discussion has now moved to #2196 In the meantime, I think the most recent proposal for his requirement is here: https://github.com/OWASP/ASVS/issues/2063#issuecomment-2428538405 I think this proposal...
So @securitydave is proposing a new requirement: > Verify that links to external pages which specify a target, include rel="noopener" to prevent tabnabbing. In principle modern browsers should fix this...