Closed elarlang closed 2 years ago
This is a good catch. I like the suggestion and I wonder the best way to do this? There's no appendix so is there a need to define it in the beginning or can we define it upon first use of the term?
I just made the task to not forget it :)
I think it's enough to describe them both in: https://github.com/OWASP/ASVS/blob/master/4.0/en/0x90-Appendix-A_Glossary.md
and just check and validate, that all requirements and entire document follow those definitions.
Collecting sources:
https://developer.mozilla.org/en-US/docs/Web/API/Location
host
- Is a USVString containing the host, that is the hostname, a ':', and the port of the URL.hostname
- Is a USVString containing the domain of the URL.Sources that show the variance over time when it comes to these terms:
https://tantek.com/2011/238/b1/many-ways-slice-url-name-pieces
Seems mission impossible and close?
Origin: Two URLs have the same origin if the protocol, port (if specified), and host are the same for both https://datatracker.ietf.org/doc/html/rfc6454#section-3.2
Host: The same RFC above also says: "If user agents did not include the scheme, there would be no isolation between http://example.com and https://example.com because the two have the same host." from this I think we can deduce what host is.
Domain: is just site.com - what you register.
Found requirements:
Requirement contains "Host":
Requirement contains "Domain":
Requirement contains "Origin":
From this list for me it seems, that 14.4.8 and 14.5.3 may need update.
Proposals:
My small edits:
V14.4.8 [ADDED] Verify that the Cross-Origin Resource Sharing (CORS) Access-Control-Allow-Origin header uses a strict allow list of trusted origins. When "Access-Control-Allow-Origin: *" needs to be used, verify that the responses do not include any sensitive information.
V14.5.3 [MODIFIED] Verify that the Origin header is validated against a defined list of allowed origins to match the desired Cross-Origin Resource Sharing (CORS) policy.
Task from https://github.com/OWASP/ASVS/issues/978#issuecomment-835728210, pointed out by @timhemel
Define for ASVS what is meant by "Host", "Domain" or "Host or Domain" and check that entire document and every requirement follow it.