Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Jerryzz0 patch 1 #168

Open
wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Jerryzz0 patch 1 #168

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
8a38549
Update resource-isolation.md
jerryzz0 Aug 19, 2024
6645e68
Update framing-isolation.md
jerryzz0 Aug 19, 2024
d0fb745
Update navigation-isolation.md
jerryzz0 Aug 19, 2024
e4ce38e
Update navigation-isolation.md
jerryzz0 Aug 19, 2024
ff7f60d
Update resource-isolation.md
jerryzz0 Aug 19, 2024
58e8022
Update resource-isolation.md
jerryzz0 Aug 19, 2024
fa4adc5
Update framing-isolation.md
jerryzz0 Aug 19, 2024
58e9036
Update strict-isolation.md
jerryzz0 Aug 19, 2024
8c9d897
Update resource-isolation.md
jerryzz0 Aug 19, 2024
7583a5e
Update framing-isolation.md
jerryzz0 Aug 19, 2024
bedeeee
Update navigation-isolation.md
jerryzz0 Aug 19, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions content/docs/defenses/isolation-policies/framing-isolation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,8 @@ def allow_request(req):
return False
```

IMPORTANT: To ensure the policy works well under caching, you must additionally include `Sec-Fetch-Dest`, `Sec-Fetch-Mode`, and `Sec-Fetch-Site` in the `Vary` response header.

## Considerations
Framing Isolation Policy cannot be applied if an endpoint allows framing requests from specific origins via `X-Frame-Options` and/or Content Security Policy's
`frame-ancestors` directive.
3 changes: 3 additions & 0 deletions content/docs/defenses/isolation-policies/navigation-isolation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,5 +36,8 @@ def allow_request(req):
# Allow all other requests
return True
```

IMPORTANT: To ensure the policy works well under caching, you must additionally include `Sec-Fetch-Mode` and `Sec-Fetch-Site` in the `Vary` response header.

## References
[^secmetadata]: Fetch Metadata Request Headers playground, [link](https://secmetadata.appspot.com/)
2 changes: 2 additions & 0 deletions content/docs/defenses/isolation-policies/resource-isolation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,8 @@ def allow_request(req):
return False
```

IMPORTANT: To ensure the policy works well under caching, you must additionally include `Sec-Fetch-Dest`, `Sec-Fetch-Mode`, and `Sec-Fetch-Site` in the `Vary` response header.

## Considerations
It should be safe to set a `Cross-Origin-Resource-Policy: same-site` response header on all requests that have not explicitly been exempted from Resource Isolation Policy. See [CORP]({{< ref "../opt-in/corp.md" >}}).

Expand Down
2 changes: 2 additions & 0 deletions content/docs/defenses/isolation-policies/strict-isolation.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,8 @@ def allow_request(req):
return True
```

IMPORTANT: To ensure the policy works well under caching, you must additionally include `Sec-Fetch-Site` in the `Vary` response header.

## Implementation with SameSite cookies
If a server sends a cookie with the [`SameSite=strict`]({{< ref "../opt-in/same-site-cookies/#samesite-cookie-modes" >}}) flag, any returned request that doesn't contain that cookie can be rejected, as showcased in this snippet:

Expand Down
Loading