search

OWASP / ASVS

Application Security Verification Standard
Creative Commons Attribution Share Alike 4.0 International
2.74k stars 668 forks source link

11.4 #91

Closed relaxnow closed 8 years ago

relaxnow commented 9 years ago

V11.4 Verify that the Content Security Policy V2 (CSP) is in use for sites where content should not be viewed in a 3rd-party X-Frame.

Should probably be

V11.4 Verify that the X-Frame-Options (XFO) is in use for sites where content should not be viewed in a 3rd-party frame.

vanderaj commented 8 years ago

We have a few different X_FRAME_OPTIONS. We are trying to increase the uptake of CSP as it has a lot of other benefits other than just providing course grained access control of frame src and script src.

vanderaj commented 8 years ago

Let me ponder this one a while longer.

vanderaj commented 8 years ago

Fixed. Also updated v11.7 to be more clear about what we really want to achieve with a CSPv2 policy.