-
Notifications
You must be signed in to change notification settings - Fork 2
/
Security.html
26 lines (26 loc) · 3.55 KB
/
Security.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<meta name="generator" content="pandoc">
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes">
<title></title>
<style type="text/css">code{white-space: pre;}</style>
<link rel="stylesheet" href="./github-markdown.css">
<!--[if lt IE 9]>
<script src="//cdnjs.cloudflare.com/ajax/libs/html5shiv/3.7.3/html5shiv-printshiv.min.js"></script>
<![endif]-->
<link rel="icon" type="image/x-icon" href="favicon.ico" />
</head>
<body>
<h2 id="security-benefits-of-using-requestpolicy">Security benefits of using RequestPolicy</h2>
<p><em>Warning: When using RequestPolicy with the <a href="Quickstart.html#Setting-up---default-policy">default policy</a> being <code>Allow</code>, you won't be protected from the attacks/techniques described below!</em></p>
<h4 id="cross-site-request-forgery">Cross-Site Request Forgery</h4>
<p><a href="https://en.wikipedia.org/wiki/Cross-site_request_forgery">Cross-Site Request Forgery</a> (CSRF) is an attack that takes advantage of the fact that a website that receives a request from your browser may not be able to tell that you, the human user, didn't actually intend to make that request. When you are at a website, say evil-site.com, the content of the page that you are viewing can tell your browser to make a request to your-bank.com. When your-bank.com receives the request, it may not know that you didn't really intend to make that request! Other types of CSRF attacks also exist. Some join the victim to an attacker's session. Some cause the client to download illegal/unwanted/unethical/embarrassing content.</p>
<p>How can you stay safe against CSRF attacks? Until now, protecting against CSRF attacks required the user to trust that every website protects itself against CSRF attacks (and, of course, many don't). Users had very limited ability to protect themselves (e.g. always logging out of services that require login, not being logged into two websites simultaneously, or using completely separate browsers or browser instances for different websites). These protections, however, were only effective in certain cases. RequestPolicy allows you to protect yourself. With RequestPolicy, cross-site requests are disallowed unless you choose to allow them. You won't have to just hope that you don't fall victim to CSRF attacks -- you'll be safe.</p>
<h4 id="clickjacking">Clickjacking</h4>
<p><a href="https://en.wikipedia.org/wiki/Clickjacking">Clickjacking</a> is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on. A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. In most cases, clickjacking attacks require that a malicious (or exploited) website be able to load other websites in IFRAMEs (small browser windows embedded within the main browser window). RequestPolicy protects you from these types of attacks because including those IFRAMEs from other sites will not be allowed unless you explicitly allow them. So, for example, if you are on evil-site.com, the evil-site.com webpage will not be able to tell your browser to load a page from your-bank.com unless you choose to allow that.</p>
<h4 id="network-attacks-and-scans">Network attacks and scans</h4>
<p>Using RequestPolicy will also help prevent your browser from being used with various types of network attacks and network scanning. For example, if a website you visit tries to use your browser to perform a scan of your local network, those requests will be blocked.</p>
</body>
</html>