deploy: 5621da1

solid · Jun 4, 2024 · c740e93 · c740e93
1 parent 9bad4ff
commit c740e93
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/index.html b/index.html
@@ -8,7 +8,7 @@
   <meta content="Bikeshed version 82ce88815, updated Thu Sep 7 16:33:55 2023 -0700" name="generator">
   <link href="https://solid.github.io/security-considerations/" rel="canonical">
   <link href="https://www.w3.org/2008/site/images/favicon.ico" rel="icon">
-  <meta content="c52919d7bbc936209205eccec1995b32c297ed9b" name="document-revision">
+  <meta content="5621da182588c95de61798be49e8943f52660a7a" name="document-revision">
 <style>/* Boilerplate: style-autolinks */
 .css.css, .property.property, .descriptor.descriptor {
     color: var(--a-normal-text);
@@ -468,7 +468,6 @@ <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
      <ol class="toc">
       <li><a href="#solid-oidc"><span class="secno">1.1</span> <span class="content">Solid OIDC</span></a>
       <li><a href="#serving-user-created-files"><span class="secno">1.2</span> <span class="content">Serving user-created files</span></a>
-      <li><a href="#considerations"><span class="secno">1.3</span> <span class="content">Considerations</span></a>
      </ol>
     <li>
      <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
@@ -545,9 +544,7 @@ <h5 class="heading settled" data-level="1.2.2.2" id="attack①"><span class="sec
     <li data-md>
      <p>The attacker can use the credentials to log in with the IDP of the victim.</p>
    </ol>
-   <h3 class="heading settled" data-level="1.3" id="considerations"><span class="secno">1.3. </span><span class="content">Considerations</span><a class="self-link" href="#considerations"></a></h3>
-   <p>Servers are strongly encouraged to consider the countermeasures in the context of the use cases they want to enable or disable on a given storage. For instance, using <code>Content-Security-Policy: sandbox</code> will universally prohibit various functionalities for applications, including but not limited to accessing local storage, executing scripts, using forms, interacting with plugins, or including external content. This broad range of restrictions may not be desirable for various categories of applications that rely on client-side storage mechanisms, collaborative features, or dynamic content interaction.</p>
-   <h4 class="heading settled" data-level="1.3.1" id="serving-user-created-files-countermeasures"><span class="secno">1.3.1. </span><span class="content">Countermeasures</span><a class="self-link" href="#serving-user-created-files-countermeasures"></a></h4>
+   <h4 class="heading settled" data-level="1.2.3" id="serving-user-created-files-countermeasures"><span class="secno">1.2.3. </span><span class="content">Countermeasures</span><a class="self-link" href="#serving-user-created-files-countermeasures"></a></h4>
    <ul>
     <li data-md>
      <p>Servers are encouraged to apply security measures when serving user-created files.</p>
@@ -556,6 +553,8 @@ <h4 class="heading settled" data-level="1.3.1" id="serving-user-created-files-co
     <li data-md>
      <p>As one possible countermeasure, servers could add a [<code>Content-Security-Policy: sandbox</code>](https://www.w3.org/TR/CSP3/#directive-sandbox) header to artificially enable <code>same-origin</code> security policies for files served on the same origin.</p>
    </ul>
+   <h5 class="heading settled" data-level="1.2.3.1" id="considerations"><span class="secno">1.2.3.1. </span><span class="content">Considerations</span><a class="self-link" href="#considerations"></a></h5>
+   <p>Servers are strongly encouraged to consider the countermeasures in the context of the use cases they want to enable or disable on a given storage. For instance, using <code>Content-Security-Policy: sandbox</code> will universally prohibit various functionalities for applications, including but not limited to accessing local storage, executing scripts, using forms, interacting with plugins, or including external content. This broad range of restrictions may not be desirable for various categories of applications that rely on client-side storage mechanisms, collaborative features, or dynamic content interaction.</p>
   </main>
 <script src="https://www.w3.org/scripts/TR/2021/fixup.js"></script>
   <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>