• Home
• org.sonarsource.javascript
• javascript-checks
• 10.14.0.26080
• source code
• S5743.html

×

Project download

Many resources are needed to download a project. Please understand that we have to compensate our server costs. Thank you in advance.
Project price only 1 $

You can buy this project and download/modify it how often you want.

org.sonar.l10n.javascript.rules.javascript.S5743.html Maven / Gradle / Ivy

This rule is deprecated, and will eventually be removed.
By default, web browsers perform DNS prefetching to reduce
latency due to DNS resolutions required when an user clicks links from a website page.
For instance on example.com the hyperlink below contains a cross-origin domain name that must be resolved to an IP address by the web browser:
<a href="https://otherexample.com">go on our partner website</a>

It can add significant latency during requests, especially if the page contains many links to cross-origin domains. DNS prefetch allows web
browsers to perform DNS resolving in the background before the user clicks a link. This feature can cause privacy issues because DNS resolving from
the user’s computer is performed without his consent if he doesn’t intent to go to the linked website.
On a complex private webpage, a combination "of unique links/DNS resolutions" can indicate, to a eavesdropper for instance, that the user is
visiting the private page.
Ask Yourself Whether

  
 Links to cross-origin domains could result in leakage of confidential information about the user’s navigation/behavior of the website. 

There is a risk if you answered yes to this question.
Recommended Secure Coding Practices
Implement X-DNS-Prefetch-Control header with an
off value but this could significantly degrade website performances.
Sensitive Code Example
In Express.js application the code is sensitive if the dns-prefetch-control
middleware is disabled or used without the recommended value:
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.dnsPrefetchControl({
    allow: true // Sensitive: allowing DNS prefetching is security-sensitive
  })
);

Compliant Solution
In Express.js application the dns-prefetch-control or helmet middleware is the standard way to implement X-DNS-Prefetch-Control header:
const express = require('express');
const helmet = require('helmet');

let app = express();

app.use(
  helmet.dnsPrefetchControl({
    allow: false // Compliant
  })
);

See

  
 OWASP - Top 10 2021 Category A5 - Security Misconfiguration 
  
 OWASP - Top 10 2017 Category A3 - Sensitive Data
  Exposure 
  
 developer.mozilla.org - X-DNS-Prefetch-Control
  
  
 developer.mozilla.org - Using dns-prefetch