ASVS Requirement 3.5.8

• Level: 3
• Chapter: V3 Web Frontend Security
• Section: V3.5 Browser Origin Separation
• Source: 0x12-V3-Web-Frontend-Security.md

Description

Verify that authenticated resources (such as images, videos, scripts, and other documents) can be loaded or embedded on behalf of the user only when intended. This can be accomplished by strict validation of the Sec-Fetch-* HTTP request header fields to ensure that the request did not originate from an inappropriate cross-origin call, or by setting a restrictive Cross-Origin-Resource-Policy HTTP response header field to instruct the browser to block returned content.