logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies - Dart

Need

Implementation of secure and properly configured X-Permitted-Cross-Domain-Policies header

Context

  1. Usage of Dart for building cross-platform mobile, web, and desktop applications
  2. Usage of Shelf for managing and organizing data in Node.js applications

Description

Insecure Code Example

import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok('Hello, World!');
}

The code above represents a minimal HTTP server using the Shelf framework in Dart. In this example, a function `handleRequest` is defined to handle all incoming HTTP requests and returns a simple text response. The vulnerability lies in the absence of the `X-Permitted-Cross-Domain-Policies` header in the response. This header is used to control how Adobe products (like Flash) interact with the site when loaded from a different domain. If this header is not set or if it is set to an insecure value, it can potentially allow for cross-domain data leaks. The `handleRequest` function does not include this header in the response, making it vulnerable to the aforementioned security risks. To secure the application, the `X-Permitted-Cross-Domain-Policies` header should be set to 'none' or another secure value depending on the application's requirements.

Steps

  1. Identify where the HTTP response is being created in your code.
  2. Add the X-Permitted-Cross-Domain-Policies header to the HTTP response.
  3. Set the value of the X-Permitted-Cross-Domain-Policies header to 'none'. This will prevent Adobe Flash and Adobe Acrobat from loading content from the domain.
  4. Ensure that this header is included in every HTTP response that your application sends.

Secure Code Example

import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok(
    'Hello, World!',
    headers: {
      'X-Permitted-Cross-Domain-Policies': 'none',
    },
  );
}

The above code fixes the vulnerability by adding the `X-Permitted-Cross-Domain-Policies` header to the HTTP response and setting its value to 'none'. The `X-Permitted-Cross-Domain-Policies` header is a security feature that prevents Adobe Flash and Adobe Acrobat from loading content from the domain. By setting its value to 'none', we are instructing these applications not to load any content from the domain. The `shelf.Response.ok` method is used to create an HTTP response with a status code of 200 (OK). The second argument to this method is a map of headers to include in the response. In this case, we are including the `X-Permitted-Cross-Domain-Policies` header. This header is included in every HTTP response that the `handleRequest` function sends, ensuring that the application is protected against potential cross-domain policy file attacks.

References

  • 137 - Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies

    • Last updated

    2023/09/18