rspec/rules/S5736/description.adoc

https://en.wikipedia.org/wiki/HTTP_referer[HTTP header referer] contains a URL set by web browsers and used by applications to track from where the user came from, it's for instance a relevant value for web analytic services, but it can cause https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns[serious privacy and security problems] if the URL contains confidential information. Note that Firefox for instance, to prevent data leaks, https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/[removes path information] in the Referer header while browsing privately.


Suppose an e-commerce website asks the user his credit card number to purchase a product:

----
<html>
<body>
<form action="/valid_order" method="GET">
Type your credit card number to purchase products:
<input type=text id="cc" value="1111-2222-3333-4444">
<input type=submit>
</form>
</body>
----

When submitting the above HTML form, a HTTP GET request will be performed, the URL requested will be \https://example.com/valid_order?cc=1111-2222-3333-4444 with credit card number inside and it's obviously not secure for these reasons:

* URLs are stored in the history of browsers.
* URLs could be accidentally shared when doing copy/paste actions.
* URLs can be stolen if a malicious person looks at the computer screen of an user.

In addition to these threats, when further requests will be performed from the  "valid_order" page with a simple legitimate embedded script like that:

----
<script src="https://webanalyticservices_example.com/track">
----

The referer header which contains confidential information will be send to a third party web analytic service and cause privacy issue:

----
GET /track HTTP/2.0
Host: webanalyticservices_example.com
Referer: https://example.com/valid_order?cc=1111-2222-3333-4444
----
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			https://en.wikipedia.org/wiki/HTTP_referer[HTTP header referer] contains a URL set by web browsers and used by applications to track from where the user came from, it's for instance a relevant value for web analytic services, but it can cause https://developer.mozilla.org/en-US/docs/Web/Security/Referer_header:_privacy_and_security_concerns[serious privacy and security problems] if the URL contains confidential information. Note that Firefox for instance, to prevent data leaks, https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/[removes path information] in the Referer header while browsing privately.
Add rules 5000-5999 2020-06-30 12:50:28 +02:00
Force linebreaks 2021-02-02 15:02:10 +01:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`Suppose an e-commerce website asks the user his credit card number to purchase a product:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`<html>`
			`<body>`
			`<form action="/valid_order" method="GET">`
			`Type your credit card number to purchase products:`
			`<input type=text id="cc" value="1111-2222-3333-4444">`
			`<input type=submit>`
			`</form>`
			`</body>`
			`----`

Escape plaintext urls 2021-02-08 16:21:28 +01:00			`When submitting the above HTML form, a HTTP GET request will be performed, the URL requested will be \https://example.com/valid_order?cc=1111-2222-3333-4444 with credit card number inside and it's obviously not secure for these reasons:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`* URLs are stored in the history of browsers.`
			`* URLs could be accidentally shared when doing copy/paste actions.`
			`* URLs can be stolen if a malicious person looks at the computer screen of an user.`

Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			`In addition to these threats, when further requests will be performed from the "valid_order" page with a simple legitimate embedded script like that:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`<script src="https://webanalyticservices_example.com/track">`
			`----`

			`The referer header which contains confidential information will be send to a third party web analytic service and cause privacy issue:`
Fix code block ambiguity with old header style Ensure blank line before list and clean the one leading space 2020-06-30 14:49:38 +02:00
Add rules 5000-5999 2020-06-30 12:50:28 +02:00			`----`
			`GET /track HTTP/2.0`
			`Host: webanalyticservices_example.com`
			`Referer: https://example.com/valid_order?cc=1111-2222-3333-4444`
			`----`