Skip to content

Commit

Permalink
Remove CORP and similar headers entirely
Browse files Browse the repository at this point in the history 
(and ignore corresponding ZAP finding as these headers
 seem to break the SSTi challenge when app is running in
 a subfolder)
  • Loading branch information
@bkimminich
bkimminich committed Dec 24, 2020
1 parent db3dac4 commit 4c20da4
Show file tree
Hide file tree
Showing 2 changed files with 1 addition and 6 deletions.
1 change: 1 addition & 0 deletions .zap/rules.tsv
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,3 +12,4 @@
10049 IGNORE (Storable but Non-Cacheable Content)
10049 IGNORE (Non-Storable Content)
10110 IGNORE (Dangerous JS Functions)
90004 IGNORE (Insufficient Site Isolation Against Spectre Vulnerability)
6 changes: 0 additions & 6 deletions server.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,12 +172,6 @@ app.use(featurePolicy({
payment: ["'self'"]
}
}))
app.use(function (req, res, next) {
// res.setHeader('Cross-Origin-Resource-Policy', 'same-site')
// res.setHeader('Cross-Origin-Opener-Policy', 'same-origin-allow-popups')
// res.setHeader('Cross-Origin-Embedder-Policy', 'require-corp')
next() // TODO Replace above manually set headers with helmet solution once supported (see https://github.com/helmetjs/helmet/issues/176)
})

/* Remove duplicate slashes from URL which allowed bypassing subsequent filters */
app.use((req, res, next) => {
Expand Down

0 comments on commit 4c20da4

Please sign in to comment.