Problem/Motivation

The method \Drupal\Core\EventSubscriber\FinishResponseSubscriber::onRespond contains a comment:

    // Prevent browsers from sniffing a response and picking a MIME type
    // different from the declared content-type, since that can lead to
    // XSS and other vulnerabilities.
    // https://www.owasp.org/index.php/List_of_useful_HTTP_headers
    $response->headers->set('X-Content-Type-Options', 'nosniff', FALSE);
    $response->headers->set('X-Frame-Options', 'SAMEORIGIN', FALSE);

The link https://www.owasp.org/index.php/List_of_useful_HTTP_headers is no more valid, it's respond with HTTP 404.

Proposed resolution

I don't see any replacement for that URL directly, but we can replace this link with the new ones. One per header:

Or simply without anchor, because it won't choose appropriate tabs with the descriptions anyway.

CommentFileSizeAuthor
#5 interdiff_3-5.txt920 bytesimmaculatexavier
#5 3307227-5.patch844 bytesimmaculatexavier
#3 3307227-3.patch1018 bytesimmaculatexavier

Comments

Niklan created an issue. See original summary.

immaculatexavier’s picture

immaculatexavier commented
Assigned: Unassigned » immaculatexavier
immaculatexavier’s picture

immaculatexavier commented
Assigned: immaculatexavier » Unassigned
Status: Active » Needs review
StatusFileSize
new 3307227-3.patch1018 bytes

Attache patch in accordance to the proposed resolution

niklan’s picture

niklan
Primary language Russian
Location Russia, Perm
commented

The problem is that anchors are more preferable here, but they don't switch tab to «Response Headers» (“bug” on OWASP site) which contains these anchors and contents itself. So they are useless.

In that case, I think it's better to just use https://owasp.org/www-project-secure-headers and that's it.

immaculatexavier’s picture

immaculatexavier commented
StatusFileSize
new 3307227-5.patch844 bytes
new interdiff_3-5.txt920 bytes

@Niklan , Addressed #4

Status: Needs review » Needs work

The last submitted patch, 5: 3307227-5.patch, failed testing. View results

andypost’s picture

andypost
he/him
Primary language Russian
commented
Component: base system » request processing system
cilefen’s picture

cilefen commented
Status: Needs work » Needs review
Issue tags: +Documentation
smustgrave’s picture

smustgrave commented
Status: Needs review » Reviewed & tested by the community
Issue tags: +Needs Review Queue Initiative

This issue is being reviewed by the kind folks in Slack, #need-reveiw-queue. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge require as a guide.

Simple change and can confirm the current link throws a 404.

alexpott’s picture

alexpott
he/they
Primary language English
Location 🇪🇺🌍
commented
Version: 10.1.x-dev » 9.5.x-dev
Category: Task » Bug report
Status: Reviewed & tested by the community » Fixed

Backported to 9.5.x since this is documentation fix.

Committed and pushed 23a41f09cd to 10.1.x and f1aab64ab7 to 10.0.x and 0a3baad943 to 9.5.x. Thanks!

  • alexpott committed 23a41f09 on 10.1.x 
    Issue #3307227 by immaculatexavier, Niklan: OWASP link for useful HTTP...

  • alexpott committed f1aab64a on 10.0.x 
    Issue #3307227 by immaculatexavier, Niklan: OWASP link for useful HTTP...

  • alexpott committed 0a3baad9 on 9.5.x 
    Issue #3307227 by immaculatexavier, Niklan: OWASP link for useful HTTP...

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.