Commit e5deec32 authored by Daniel Thompson-Yvetot's avatar Daniel Thompson-Yvetot
Browse files

Merge branch 'req-storage-extra' into 'main_publish' 

Additional Storage access control requirement

See merge request cyber/stan4cr2/en-304-617!52
parents af343753 6dee6b5d

EN-304-617.md

+37 −0
Original line number Diff line number Diff line
@@ -172,6 +172,8 @@ public suffix list: list of all eTLDs 


registrable domain: subdomain exactly one level below an eTLD, such that the domain and all further sub-domains are registered to a single tenant



rendering processes: processes or other execution contexts, that handle the execution or rendering of website assets



site: logical security boundary defined by scheme and registrable domain



third-party cookies: cookies keyed to a site other than the top-level site
@@ -524,6 +526,8 @@ Applicability: Extensions installed via the product's extension distribution cha 


**[REQ-STORE-ACC-2]** The product shall not share or make data available across browser profiles.



**[REQ-STORE-ACC-3]** The product shall enforce Same Origin Policy access control for storage data outside rendering processes.



**[REQ-SOP-AAC-1]**: The product shall deny access in one origin to all parts of another origin, except as defined in the user documentation.



Example: Web pages may load images from other origins, message using `window.postMessage` and may access limited properties such as `Location`. Web pages may not access the document object model or global Window scope from scripts of other origins. The user documentation references industry standards with implementation recommendations and additinal examples.
@@ -1314,6 +1318,39 @@ The following steps are to be carried out in order: 
**Supporting Evidence:**

- Extension console log.





### [ACC-STORE-ACC-3]



Assessment of [REQ-STORE-ACC-3]



- **Assessment Reference:** The product shall enforce Same Origin Policy access control for storage data outside rendering processes.



- **Assessment Objective:** Assess whether the product enforces separation of data across browser profiles.



- **Assessment Preparation:**

    - Identify a relevant website that can be used to set uniquely identifiable data.

    - Prepare tooling that will provide visibility into data available for a given browser profile.

    - Identify supported browser profiles (eg private browsing, user profiles etc).

    - Reset browser to factory default settings.

    - Prepare browser configuration to support available browser profiles.



- **Assessment Activities:**

    1. Open the website in the default browser profile, and note the data set by the website.

    2. Open the website in each other browser profile, and note the data available in each profile.

    3. Using the default browser profile, reload the website and note the data available.



- **Assignment of Verdict:** 

    - **Pass**

        - The data gets set in the default browser profile when visiting the website.

        - For each browser profile available, the data is set by the browser profile context successfully. 

        - The data set in the default browser profile is not available in any other browser profile.

        - Upon returning to the website, the data set initially is still available, and data set in individual profiles are not available.

    - **Fail**: Any of the above are not fulfilled.



- **Supporting Evidence**: 

    - Screenshot or log output from tooling at each step to demonstrate.





## 6.6 Confidentiality



Proposed ESR code: CON