rspec/rules/S5122/description.adoc

Having a permissive Cross-Origin Resource Sharing policy is security-sensitive. It has led in the past to the following vulnerabilities:

* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0269[CVE-2018-0269]
* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14460[CVE-2017-14460]

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy[Same origin policy] in browsers prevents, by default and for security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port) from its own. The requested target can append additional HTTP headers in response, called https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS[CORS], that act like directives for the browser and change the access control policy / relax the same origin policy.
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`Having a permissive Cross-Origin Resource Sharing policy is security-sensitive. It has led in the past to the following vulnerabilities:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-0269[CVE-2018-0269]`
			`* http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14460[CVE-2017-14460]`

			https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy[Same origin policy] in browsers prevents, by default and for security-reasons, a javascript frontend to perform a cross-origin HTTP request to a resource that has a different origin (domain, protocol, or port) from its own. The requested target can append additional HTTP headers in response, called https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS[CORS], that act like directives for the browser and change the access control policy / relax the same origin policy.