Neil Matatall
Neil Matatall
We ran into a case where the `link_to href` check produced a ton of results which were false positives because while the values came from a model, this model can...
Rails 4, automatic escaping turned on. Same result with `html_safe` ``` erb ``` `brakeman . -d` ``` +------------------------------------------------------+ | Output | +------------------------------------------------------+ | [Escaped Output] text_field_tag(:q, raw(params[:q])) | +------------------------------------------------------+ ```...
Bits and pieces of a convo: generates a high confidence warning due to the unescaped model attribute. However, this value passes through a few validations and the raw HTML does...
Related https://github.com/helmetjs/x-xss-protection/issues/14 There’s some good discussion there. The owasp consensus is that it does more harm than good. We’ve always allowed people to override this setting, but maybe we should...
Note: this issue used to focus on feature policy. Feature policy has been replaced with permissions-policy. While the two aren't equal, they are somewhat interchangeable for the discussion to this...
A discussion in https://github.com/twitter/secure_headers/issues/275 was about ensuring that rails gets support for feature policy and how it would require an API similar to the CSP API. It made me think...
Just like CSP and XFO, referrer-policy needs to have per-action configurability.
This is more of a meta issue where I'm going to drop notes before actually coming up with a documented plan. We intend to go through this process in the...
# Bugs > Note: The plugin-types grammar allows for an empty directive value in which case all instantions of embed and object will fail. https://w3c.github.io/webappsec-csp/#directive-plugin-types We validate it must match...
# Feature Request Rails does not allow you to set multiple headers with the same name, but CSP allows this. However, multiple headers that are comma separated can be used...