From 5621da182588c95de61798be49e8943f52660a7a Mon Sep 17 00:00:00 2001 From: elf Pavlik Date: Mon, 3 Jun 2024 18:47:38 -0600 Subject: [PATCH] adjust hedings --- index.bs | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/index.bs b/index.bs index b90f3f7..20ca176 100644 --- a/index.bs +++ b/index.bs @@ -109,12 +109,12 @@ The attacker writes a malicious `text/html` file to the server. Depending on the 1. The malicious `text/html` file can read and send the credentials to the attacker. 1. The attacker can use the credentials to log in with the IDP of the victim. -## Considerations - -Servers are strongly encouraged to consider the countermeasures in the context of the use cases they want to enable or disable on a given storage. For instance, using `Content-Security-Policy: sandbox` will universally prohibit various functionalities for applications, including but not limited to accessing local storage, executing scripts, using forms, interacting with plugins, or including external content. This broad range of restrictions may not be desirable for various categories of applications that rely on client-side storage mechanisms, collaborative features, or dynamic content interaction. - ### Countermeasures ### {#serving-user-created-files-countermeasures} * Servers are encouraged to apply security measures when serving user-created files. * Multiple agents can create files on the same server, which could render `same-origin` security boundaries useless. * As one possible countermeasure, servers could add a [`Content-Security-Policy: sandbox`](https://www.w3.org/TR/CSP3/#directive-sandbox) header to artificially enable `same-origin` security policies for files served on the same origin. + +#### Considerations + +Servers are strongly encouraged to consider the countermeasures in the context of the use cases they want to enable or disable on a given storage. For instance, using `Content-Security-Policy: sandbox` will universally prohibit various functionalities for applications, including but not limited to accessing local storage, executing scripts, using forms, interacting with plugins, or including external content. This broad range of restrictions may not be desirable for various categories of applications that rely on client-side storage mechanisms, collaborative features, or dynamic content interaction.