Proposal: (sub)category "Client-Side" (browser-side)

[elarlang]

Goal: to cover all requirements, where an application need to check, was a HTTP request made by the browser/client legit or forced by malicious actor from 3rd party site. It includes attack vectors like CSRF, XSSI, ClickJacking, etc.

To which category it should belong, I'm not sure. Just by title, it feels first idea to put to "V9 Communications", but this one seems to be "configuration only" category (the name should say it as well).

Related discussions and issues:

• https://github.com/OWASP/ASVS/issues/903#issuecomment-896814258
• https://github.com/OWASP/ASVS/issues/1220#issuecomment-1035200681
• https://github.com/OWASP/ASVS/issues/795#issuecomment-743720732

[elarlang]

Elar is working on creating the monster PR for this based on individual commits for each requirement (to help traceability)

my idea is actually a bit the opposite - to avoid monster PR and put the content in with small PRs :)

edit: but the monster arrived...

[elarlang]

The new "Web Frontend Security" category is in place, with temporary number V50.

https://github.com/OWASP/ASVS/blob/master/5.0/en/0x50-V50-Web-Frontend-Security.md

There is still a lot of work to do with that, but for those changes it makes sense to open new issue per topic. As a structure change proposal, we can say it is done.

[tghosth]

Great work @elarlang !