Date: Fri, 29 Mar 2024 07:33:44 +0000 (UTC) Message-ID: <966642916.79.1711697624501@e5163ae9f391> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_78_1286275772.1711697624501" ------=_Part_78_1286275772.1711697624501 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
Client-side code SHOULD be completely build using mature JavaScript APIs= (not ActiveX or Java):
JSON code MUST only be parsed with a secure JavaScript API such as JSON.parse()
(not eval()
).
Instead of unsafe JavaScript APIs that do allow to write HTML code direc=
tly (e.g. =E2=80=9E.innerHTML
=E2=80=9C), safe APIs SHOULD be u=
sed that only write text output (e.g. =E2=80=9E.innerText
=E2=
=80=9C or =E2=80=9E.textContent
=E2=80=9C). The same requiremen=
t applies to web frameworks that provide such functionality.
HTTP header of Web UIs MUST be implemented according to Appendix A: Requirements for HTTP Se= curity Header.
Only confidential user data MAY be stored on the client-side but this SH= OULD only be be in an encrypted way.
User states or other meta-information MUST only be stored with sufficien= t integrity protection (e.g. as a signed JWT token).