Need

Implementation of secure and properly configured X-Permitted-Cross-Domain-Policies header

Context

• Usage of Dart for building cross-platform mobile, web, and desktop applications
• Usage of Shelf for managing and organizing data in Node.js applications

Description

Non compliant code

        import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok('Hello, World!');
}
        
        

The code above represents a minimal HTTP server using the Shelf framework in Dart. In this example, a function handleRequest is defined to handle all incoming HTTP requests and returns a simple text response.

The vulnerability lies in the absence of the X-Permitted-Cross-Domain-Policies header in the response. This header is used to control how Adobe products (like Flash) interact with the site when loaded from a different domain. If this header is not set or if it is set to an insecure value, it can potentially allow for cross-domain data leaks.

The handleRequest function does not include this header in the response, making it vulnerable to the aforementioned security risks. To secure the application, the X-Permitted-Cross-Domain-Policies header should be set to 'none' or another secure value depending on the application's requirements.

Steps

• Identify where the HTTP response is being created in your code.
• Add the X-Permitted-Cross-Domain-Policies header to the HTTP response.
• Set the value of the X-Permitted-Cross-Domain-Policies header to 'none'. This will prevent Adobe Flash and Adobe Acrobat from loading content from the domain.
• Ensure that this header is included in every HTTP response that your application sends.

Compliant code

        import 'package:shelf/shelf.dart' as shelf;

shelf.Response handleRequest(shelf.Request request) {
  return shelf.Response.ok(
    'Hello, World!',
    headers: {
      'X-Permitted-Cross-Domain-Policies': 'none',
    },
  );
}
        
        

The above code fixes the vulnerability by adding the X-Permitted-Cross-Domain-Policies header to the HTTP response and setting its value to 'none'.

The X-Permitted-Cross-Domain-Policies header is a security feature that prevents Adobe Flash and Adobe Acrobat from loading content from the domain. By setting its value to 'none', we are instructing these applications not to load any content from the domain.

The shelf.Response.ok method is used to create an HTTP response with a status code of 200 (OK). The second argument to this method is a map of headers to include in the response. In this case, we are including the X-Permitted-Cross-Domain-Policies header.

This header is included in every HTTP response that the handleRequest function sends, ensuring that the application is protected against potential cross-domain policy file attacks.

References

• 137. Insecure or unset HTTP headers - X-Permitted-Cross-Domain-Policies