by RobertDrew » Tue Jul 07, 2015 2:09 am
# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally,
pages can be embedded as subdocuments only by documents from
#
the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF
https://secure.somesite.com
Accept GET
Deny
The above rules do not do what the highlighted portion of the comments describe, due to the highlighted portion of the rules.
Here's a corrected version of the rules, so that they match the description in the comments. The change is highlighted ...
# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF
https://secure.somesite.com
Deny SUB
Accept GET
Deny
[quote]# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, [b]pages can be embedded as subdocuments only by documents from[/b]
# [b]the same domain[/b] (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF https://secure.somesite.com
[b]Accept GET[/b]
Deny[/quote]
The above rules do not do what the highlighted portion of the comments describe, due to the highlighted portion of the rules.
Here's a corrected version of the rules, so that they match the description in the comments. The change is highlighted ...
[quote]# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF https://secure.somesite.com
[b]Deny SUB[/b]
Accept GET
Deny[/quote]