TD0737: Modification of test 2 to comply with same origin policy in RFC 6454
Publication Date
2023.04.26
Protection Profiles
PP_APP_WEBBROWSER_EP_v2.0
Other References
FDP_SOP_EXT.1
Issue Description
The SFR FDP_SOP_EXT.1.1 indicates the browser shall only permit scripts contained in one web page to access data in a second web page if both pages are from the same origin. However, Test 2 states that "the evaluator shall verify that the scripts can retrieve content from another window/tab at a different subdomain." This test does not comply with the same origin policy (per RFC 6454) and should not allow the scripts to retrieve content from another window/tab at a different subdomain. Resolution
Test 2 for FDP_SOP_EXT.1 in PP_APP_WEBBROWSER_EP_v2.0 is updated as follows with underline indicating additions:
Justification
The issue is that test 2 incorrectly states that a evaluator shall verify that the scripts can retrieve content from another window/tab at a different subdomain. This does not comply with same origin policy as defined in RFC 6454. |