logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies - Scala

Need

Enforcement of secure and properly configured X-Permitted-Cross-Domain-Policies header

Context

  1. Usage of Scala for building scalable and high-performance applications
  2. Usage of play.api.mvc for handling HTTP requests in Play Framework

Description

Insecure Code Example

import play.api.mvc._

class ApplicationController extends Controller {
  def index = Action { request =>
    Ok("Hello, World!")
  }
}

This is a simple Scala controller using the Play framework. The function `index` responds to HTTP requests with "Hello, World!". However, this code is vulnerable because it does not include the `X-Permitted-Cross-Domain-Policies` HTTP header in its response. The `X-Permitted-Cross-Domain-Policies` header is used to define the policy for handling cross-domain requests in Adobe products. If this header is missing or set to an insecure value, it can potentially allow unauthorized access from other domains, leading to cross-domain attacks. In this code, the absence of this header means that there's no policy set for handling cross-domain requests, leaving the application vulnerable to potential cross-domain attacks.

Steps

  1. Add the X-Permitted-Cross-Domain-Policies header to the response.
  2. Set the value of the X-Permitted-Cross-Domain-Policies header to a secure value, such as 'none' or 'master-only'.
  3. Ensure that the X-Permitted-Cross-Domain-Policies header is set for all relevant routes and responses in the application.

Secure Code Example

import play.api.mvc._

class ApplicationController extends Controller {
  def index = Action { request =>
    Ok("Hello, World!").withHeaders("X-Permitted-Cross-Domain-Policies" -> "none")
  }
}

The above code fixes the vulnerability by adding the `X-Permitted-Cross-Domain-Policies` header to the HTTP response. This header is used to provide a policy file that specifies the domains that are permitted to make cross-domain requests. In the original code, the `X-Permitted-Cross-Domain-Policies` header was not set, which could potentially allow unauthorized cross-domain requests. This could lead to various security issues, such as data leakage or unauthorized actions. The fixed code sets the `X-Permitted-Cross-Domain-Policies` header to `none`, which means that no domain is allowed to make cross-domain requests. This is the most secure setting, but it may need to be adjusted depending on the needs of the application. The `withHeaders` method is used to add the header to the response. This method takes a sequence of pairs, where each pair consists of a header name and a header value. In this case, the header name is `X-Permitted-Cross-Domain-Policies` and the header value is `none`. It's important to note that this header should be set for all relevant routes and responses in the application, not just for the `index` action. This ensures that the security policy is applied consistently throughout the application.

References

  • 137 - Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies

    • Last updated

    2023/09/18