andrewmusselman opened a new issue, #787:
URL: https://github.com/apache/tooling-trusted-releases/issues/787
**ASVS:** 3.2.1, 3.5.3 · **CWE:** CWE-346 · **File:** Application-wide
(absent control)
### Description
The application does not validate `Sec-Fetch-Dest`, `Sec-Fetch-Mode`, or
`Sec-Fetch-Site` headers on any endpoint. ASVS 3.2.1 explicitly recommends this
validation to prevent browsers from rendering responses in an incorrect context
(e.g. API JSON loaded as a `<script>` or `<img>` source). This also provides
defense-in-depth for state-changing operations (3.5.3).
### Recommended fix
```python
@app.before_request
async def validate_sec_fetch_headers() -> None:
if quart.request.path.startswith('/api'):
sec_fetch_dest = quart.request.headers.get('Sec-Fetch-Dest', '')
if sec_fetch_dest in ('document', 'embed', 'object', 'frame',
'iframe'):
quart.abort(403)
if quart.request.method in ('POST', 'PUT', 'DELETE', 'PATCH'):
sec_fetch_site = quart.request.headers.get('Sec-Fetch-Site', '')
if sec_fetch_site not in ('same-origin', 'none', ''):
quart.abort(403)
```
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
