Error in documentation

Post a reply

Smilies
:D :) ;) :( :o :shock: :? 8-) :lol: :x :P :oops: :cry: :evil: :twisted: :roll: :!: :?: :idea: :arrow: :| :mrgreen: :geek: :ugeek:

BBCode is ON
[img] is ON
[url] is ON
Smilies are ON

Topic review
   

Expand view Topic review: Error in documentation

Re: Error in documentation

by fatboy » Tue Jul 07, 2015 5:59 pm

Thanks.

Re: Error in documentation

by barbaz » Tue Jul 07, 2015 5:15 pm

fatboy wrote:Deny SUB is not already covered by the Deny on the end?
Indeed not, because the "Accept GET" would had already let any GET requests to 'SUB's through.

Re: Error in documentation

by fatboy » Tue Jul 07, 2015 4:44 pm

@barbaz
Deny SUB is not already covered by the Deny on the end?

Re: Error in documentation

by barbaz » Tue Jul 07, 2015 3:11 pm

fatboy wrote:Why not Deny POST SUB?
Because it's not needed, Deny POST is already covered by the Deny on the end.

Re: Error in documentation

by fatboy » Tue Jul 07, 2015 2:32 pm

RobertDrew wrote: Deny SUB
Why not Deny POST SUB?

Accept POST SUB from SELF
Accept GET #but not POST SUB
Deny #including POST SUB

Incorrectly?

Re: Error in documentation

by Thrawn » Tue Jul 07, 2015 4:10 am

I think you're right. Thanks for pointing it out.

Error in documentation

by RobertDrew » Tue Jul 07, 2015 2:09 am

# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF https://secure.somesite.com
Accept GET
Deny
The above rules do not do what the highlighted portion of the comments describe, due to the highlighted portion of the rules.

Here's a corrected version of the rules, so that they match the description in the comments. The change is highlighted ...
# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF https://secure.somesite.com
Deny SUB
Accept GET
Deny

Top