Page 1 of 1

Error in documentation

Posted: Tue Jul 07, 2015 2:09 am
by RobertDrew
# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF https://secure.somesite.com
Accept GET
Deny
The above rules do not do what the highlighted portion of the comments describe, due to the highlighted portion of the rules.

Here's a corrected version of the rules, so that they match the description in the comments. The change is highlighted ...
# This one defines normal application behavior, allowing hyperlinking
# but not cross-site POST requests altering app status
# Additionally, pages can be embedded as subdocuments only by documents from
# the same domain (this prevents ClickJacking/UI redressing attacks)
Site *.somesite.com
Accept POST SUB from SELF https://secure.somesite.com
Deny SUB
Accept GET
Deny

Re: Error in documentation

Posted: Tue Jul 07, 2015 4:10 am
by Thrawn
I think you're right. Thanks for pointing it out.

Re: Error in documentation

Posted: Tue Jul 07, 2015 2:32 pm
by fatboy
RobertDrew wrote: Deny SUB
Why not Deny POST SUB?

Accept POST SUB from SELF
Accept GET #but not POST SUB
Deny #including POST SUB

Incorrectly?

Re: Error in documentation

Posted: Tue Jul 07, 2015 3:11 pm
by barbaz
fatboy wrote:Why not Deny POST SUB?
Because it's not needed, Deny POST is already covered by the Deny on the end.

Re: Error in documentation

Posted: Tue Jul 07, 2015 4:44 pm
by fatboy
@barbaz
Deny SUB is not already covered by the Deny on the end?

Re: Error in documentation

Posted: Tue Jul 07, 2015 5:15 pm
by barbaz
fatboy wrote:Deny SUB is not already covered by the Deny on the end?
Indeed not, because the "Accept GET" would had already let any GET requests to 'SUB's through.

Re: Error in documentation

Posted: Tue Jul 07, 2015 5:59 pm
by fatboy
Thanks.