ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S5604/javascript/rule.adoc
jtingsanchali 96d9ddb930
RULEAPI-755 Update CWE URLs by removing .html suffix and update with https protocol (#926) 
* Change affects only see.adoc and rule.adoc files, not comments-and-links.adoc files
2022-04-07 08:53:59 -05:00

70 lines
3.2 KiB
Plaintext
Raw Blame History

https://www.w3.org/TR/permissions/#powerful-feature[Powerful features] are browser features (geolocation, camera, microphone ...) that can be accessed with JavaScript API and may require a permission granted by the user. These features can have a high impact on privacy and user security thus they should only be used if they are really necessary to implement the critical parts of an application.
This rule highlights intrusive permissions when requested with https://developer.mozilla.org/en-US/docs/Web/API/Permissions/query[the future standard (but currently experimental) web browser query API] and specific APIs related to the permission. It is highly recommended to customize this rule with the permissions considered as intrusive in the context of the web application.
== Ask Yourself Whether
* Some powerful features used by the application are not really necessary.
* Users are not clearly informed why and when powerful features are used by the application.
You are at risk if you answered yes to any of those questions.
== Recommended Secure Coding Practices
* In order to respect user privacy it is recommended to avoid using intrusive powerful features.
== Sensitive Code Example
When using https://developer.mozilla.org/en-US/docs/Web/API/Geolocation_API[geolocation API], Firefox for example retrieves personal information like nearby wireless access points and IP address and sends it to the default geolocation service provider, https://www.google.com/privacy/lsf.html[Google Location Services]:
----
navigator.permissions.query({name:"geolocation"}).then(function(result) {
}); // Sensitive: geolocation is a powerful feature with high privacy concerns
navigator.geolocation.getCurrentPosition(function(position) {
console.log("coordinates x="+position.coords.latitude+" and y="+position.coords.longitude);
}); // Sensitive: geolocation is a powerful feature with high privacy concerns
----
== Compliant Solution
If geolocation is required, always explain to the user why the application needs it and prefer requesting an approximate location when possible:
[source,javascript]
----
<html>
<head>
<title>
Retailer website example
</title>
</head>
<body>
Type a city, street or zip code where you want to retrieve the closest retail locations of our products:
<form method=post>
<input type=text value="New York"> <!-- Compliant -->
</form>
</body>
</html>
----
== See
* https://owasp.org/Top10/A01_2021-Broken_Access_Control/[OWASP Top 10 2021 Category A1] - Broken Access Control
* https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure[OWASP Web Top 10 2017 Category A3] - Sensitive Data Exposure
* https://cwe.mitre.org/data/definitions/250[MITRE, CWE-250] - Execution with Unnecessary Privileges
* https://cwe.mitre.org/data/definitions/359[MITRE, CWE-359] - Exposure of Private Information
* https://www.w3.org/TR/permissions/[W3C] - Permissions
* https://support.mozilla.org/en-US/kb/does-firefox-share-my-location-websites[Mozilla] - Does Firefox share my location with websites?
ifdef::env-github,rspecator-view[]
'''
== Implementation Specification
(visible only on this page)
include::message.adoc[]
include::parameters.adoc[]
endif::env-github,rspecator-view[]
Reference in New Issue View Git Blame Copy Permalink