From fc7c6bc3f61c4e324a619e5b4e53d3ac9f29e918 Mon Sep 17 00:00:00 2001 From: Elar Lang Date: Mon, 28 Oct 2024 19:30:21 +0200 Subject: [PATCH 1/2] #959 - document requirements for browsers and check them --- 5.0/en/0x10-V1-Architecture.md | 6 ++++++ 5.0/en/0x50-V50-Web-Frontend-Security.md | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/5.0/en/0x10-V1-Architecture.md b/5.0/en/0x10-V1-Architecture.md index c76d3cd3d3..b95460f3da 100644 --- a/5.0/en/0x10-V1-Architecture.md +++ b/5.0/en/0x10-V1-Architecture.md @@ -155,6 +155,12 @@ This is a placeholder for future documentation requirements. | **1.14.6** | [MOVED TO 50.7.2] | | | | | | **1.14.7** | [MODIFIED, MOVED FROM 1.1.5] Verify that all communication needs for the application are documented. This should include external services which the application relies upon and cases where an end user might be able to provide an external location to which the application will then connect. | | ✓ | ✓ | 1059 | +## V1.50 Web Frontend Security Documentation + +| # | Description | L1 | L2 | L3 | CWE | +| :---: | :--- | :---: | :---: | :---: | :---: | +| **1.50.1** | [ADDED] Verify that application documentation states the expected security features that browsers using the application should support (such as HTTPS, HSTS, Content Security Policy (CSP), and other relevant HTTP security mechanisms). It should also define how the application must behave when such an event happens (such as warning the user or blocking access). | | | ✓ | | + ## References For more information, see also: diff --git a/5.0/en/0x50-V50-Web-Frontend-Security.md b/5.0/en/0x50-V50-Web-Frontend-Security.md index ca43e475f0..4f0387cecb 100644 --- a/5.0/en/0x50-V50-Web-Frontend-Security.md +++ b/5.0/en/0x50-V50-Web-Frontend-Security.md @@ -68,7 +68,7 @@ it may need other separate section for "end-user protection via UI" | :---: | :--- | :---: | :---: | :---: | :---: | | **50.7.1** | [ADDED, SPLIT FROM 5.1.5] Verify that the application shows a notification when the user is being redirected to a URL outside of the application's control, with an option to cancel the navigation. | | | ✓ | | | **50.7.2** | [MODIFIED, MOVED FROM 1.14.6] Verify the application only uses client-side technologies which are still supported and considered secure. Examples of technologies which do not meet this requirement include NSAPI plugins, Flash, Shockwave, ActiveX, Silverlight, NACL, or client-side Java applets. | | ✓ | ✓ | 477 | -| **50.7.3** | [ADDED] Verify that the web application warns users who are using an old browser which does not support HTTP security features on which the application relies. The list of old browsers must be periodically reviewed and updated. | | | ✓ | 1104 | +| **50.7.3** | [ADDED] Verify that the application behaves as documented (such as warning the user or blocking access) if the browser used to access the application does not support the expected security features. | | | ✓ | | ## References From 0d08770ad9b2d4bda362951f1fd4f1a54503a2cd Mon Sep 17 00:00:00 2001 From: Elar Lang <47597707+elarlang@users.noreply.github.com> Date: Mon, 28 Oct 2024 22:28:59 +0200 Subject: [PATCH 2/2] improve wording --- 5.0/en/0x10-V1-Architecture.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/5.0/en/0x10-V1-Architecture.md b/5.0/en/0x10-V1-Architecture.md index b95460f3da..9cdd2dc813 100644 --- a/5.0/en/0x10-V1-Architecture.md +++ b/5.0/en/0x10-V1-Architecture.md @@ -159,7 +159,7 @@ This is a placeholder for future documentation requirements. | # | Description | L1 | L2 | L3 | CWE | | :---: | :--- | :---: | :---: | :---: | :---: | -| **1.50.1** | [ADDED] Verify that application documentation states the expected security features that browsers using the application should support (such as HTTPS, HSTS, Content Security Policy (CSP), and other relevant HTTP security mechanisms). It should also define how the application must behave when such an event happens (such as warning the user or blocking access). | | | ✓ | | +| **1.50.1** | [ADDED] Verify that application documentation states the expected security features that browsers using the application should support (such as HTTPS, HSTS, Content Security Policy (CSP), and other relevant HTTP security mechanisms). It should also define how the application must behave when some of these features are not available (such as warning the user or blocking access). | | | ✓ | | ## References