|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (26 fixed, 16 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (27 fixed, 15 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1932,6 +1932,25 @@
|
|
|
only `geolocation`, `microphone`, `camera`. Cheap to add the
|
|
|
rest.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed. Both Caddyfiles now emit:
|
|
|
+ - `Cross-Origin-Opener-Policy: same-origin` — isolates the
|
|
|
+ browsing context from any popups it opens; a
|
|
|
+ `window.opener.location = …` from a newly-spawned
|
|
|
+ cross-origin tab can no longer reach back into the app.
|
|
|
+ - `Cross-Origin-Resource-Policy: same-origin` — tells the
|
|
|
+ browser the resource may only be loaded by same-origin
|
|
|
+ documents (defeats sub-resource leaks via cross-origin
|
|
|
+ `<img>`/`<script>`/`<link>` inclusion).
|
|
|
+ - `X-Permitted-Cross-Domain-Policies: none` — blocks legacy
|
|
|
+ Adobe Flash / Acrobat `crossdomain.xml` lookups.
|
|
|
+ COEP `require-corp` was deliberately *not* added: it would
|
|
|
+ require every cross-origin resource (e.g. the jsDelivr-hosted
|
|
|
+ RapiDoc on `/api/docs`) to opt in via CORP, which we don't
|
|
|
+ control. The SEC_REVIEW called out COOP / CORP / X-Permitted-
|
|
|
+ CDP only; sticking to that scope. (`Permissions-Policy`
|
|
|
+ hardening — F61 — is tracked separately.) Caddyfile syntax is
|
|
|
+ validated with `frankenphp validate --config … --adapter
|
|
|
+ caddyfile` ("Valid configuration") on both files.
|
|
|
|
|
|
### F60 — HSTS lacks `preload`
|
|
|
- **Files:** `ui/docker/Caddyfile:37`, `api/docker/Caddyfile:36`
|
chiappa