AWS waf documentation change
Summary
Updated documentation to include 'protection pack' terminology alongside existing 'web ACL' references throughout the token domain configuration documentation. Added section about new console experience.
Security assessment
Changes primarily expand terminology to include 'protection pack' but don't address specific vulnerabilities. Token domain validation logic remains unchanged (still matching host domains and configured lists). No evidence of patching security flaws or disclosing incidents.
Diff
diff --git a/waf/latest/developerguide/waf-tokens-domains.md b/waf/latest/developerguide/waf-tokens-domains.md index 0633ef8a9..c0d421fa6 100644 --- a//waf/latest/developerguide/waf-tokens-domains.md +++ b//waf/latest/developerguide/waf-tokens-domains.md @@ -5 +5,5 @@ -Web ACL token domain listToken domain settings +AWS WAF protection pack or web ACL token domain listToken domain settings + +**Introducing a new console experience for AWS WAF** + +You can now use the updated experience to access AWS WAF functionality anywhere in the console. For more details, see [Working with the updated console experience](./working-with-console.html). @@ -11 +15 @@ This section explains how to configure the domains that AWS WAF uses in tokens a -When AWS WAF creates a token for a client, it configures it with a token domain. When AWS WAF inspects a token in a web request, it rejects the token as invalid if its domain doesn't match any of the domains that are considered valid for the web ACL. +When AWS WAF creates a token for a client, it configures it with a token domain. When AWS WAF inspects a token in a web request, it rejects the token as invalid if its domain doesn't match any of the domains that are considered valid for the protection pack or web ACL. @@ -13 +17 @@ When AWS WAF creates a token for a client, it configures it with a token domain. -By default, AWS WAF only accepts tokens whose domain setting exactly matches the host domain of the resource that's associated with the web ACL. This is the value of the `Host` header in the web request. In a browser, you can find this domain in the JavaScript `window.location.hostname` property and in the address that your user sees in their address bar. +By default, AWS WAF only accepts tokens whose domain setting exactly matches the host domain of the resource that's associated with the protection pack or web ACL. This is the value of the `Host` header in the web request. In a browser, you can find this domain in the JavaScript `window.location.hostname` property and in the address that your user sees in their address bar. @@ -15 +19 @@ By default, AWS WAF only accepts tokens whose domain setting exactly matches the -You can also specify acceptable token domains in your web ACL configuration, as described in the following section. In this case, AWS WAF accepts both exact matches with the host header and matches with domains in the token domain list. +You can also specify acceptable token domains in your protection pack or web ACL configuration, as described in the following section. In this case, AWS WAF accepts both exact matches with the host header and matches with domains in the token domain list. @@ -17 +21 @@ You can also specify acceptable token domains in your web ACL configuration, as -You can specify token domains for AWS WAF to use when setting the domain and when evaluating a token in a web ACL. The domains that you specify can't be public suffixes such as `gov.au`. For the domains that you can't use, see the list [https://publicsuffix.org/list/public_suffix_list.dat](https://publicsuffix.org/list/public_suffix_list.dat) under [Public suffix list](https://publicsuffix.org/list/). +You can specify token domains for AWS WAF to use when setting the domain and when evaluating a token in a protection pack or web ACL. The domains that you specify can't be public suffixes such as `gov.au`. For the domains that you can't use, see the list [https://publicsuffix.org/list/public_suffix_list.dat](https://publicsuffix.org/list/public_suffix_list.dat) under [Public suffix list](https://publicsuffix.org/list/). @@ -19 +23 @@ You can specify token domains for AWS WAF to use when setting the domain and whe -## AWS WAF web ACL token domain list configuration +## AWS WAF protection pack or web ACL token domain list configuration @@ -21 +25 @@ You can specify token domains for AWS WAF to use when setting the domain and whe -You can configure a web ACL to share tokens across multiple protected resources by providing a token domain list with the additional domains that you want AWS WAF to accept. With a token domain list, AWS WAF still accepts the resource's host domain. Additionally, it accepts all domains in the token domain list, including their prefixed subdomains. +You can configure a protection pack or web ACL to share tokens across multiple protected resources by providing a token domain list with the additional domains that you want AWS WAF to accept. With a token domain list, AWS WAF still accepts the resource's host domain. Additionally, it accepts all domains in the token domain list, including their prefixed subdomains. @@ -25 +29 @@ For example, a domain specification `example.com` in your token domain list matc -You can configure the token domain list in your web ACL when you create or edit it. For general information about managing a web ACL, see [Viewing web traffic metrics in AWS WAF](./web-acl-working-with.html). +You can configure the token domain list in your protection pack or web ACL when you create or edit it. For general information about managing a protection pack or web ACL, see [Viewing web traffic metrics in AWS WAF](./web-acl-working-with.html). @@ -33 +37 @@ The domain that AWS WAF sets in a token is determined by the type of challenge s - * **JavaScript SDK** – You can configure the JavaScript SDK with a token domain specification, which can include one or more domains. The domains that you configure must be domains that AWS WAF will accept, based on the protected host domain and the web ACL's token domain list. + * **JavaScript SDK** – You can configure the JavaScript SDK with a token domain specification, which can include one or more domains. The domains that you configure must be domains that AWS WAF will accept, based on the protected host domain and the protection pack or web ACL's token domain list. @@ -39 +43 @@ For more information, see [Providing domains for use in the tokens](./waf-js-cha - * **Mobile SDK** – In your application code, you must configure the mobile SDK with a token domain property. This property must be a domain that AWS WAF will accept, based on the protected host domain and the web ACL's token domain list. + * **Mobile SDK** – In your application code, you must configure the mobile SDK with a token domain property. This property must be a domain that AWS WAF will accept, based on the protected host domain and the protection pack or web ACL's token domain list. @@ -45 +49 @@ For more information, see the `WAFConfiguration` `domainName` setting at [AWS WA - * **Challenge action** – If you specify a token domain list in the web ACL, AWS WAF sets the token domain to one that matches the host domain and is the shortest, from among the host domain and the domains in the list. For example, if the host domain is `api.example.com` and the token domain list has `example.com`, AWS WAF uses `example.com` in the token, because it matches the host domain and is shorter. If you don't provide a token domain list in the web ACL, AWS WAF sets the domain to the host domain of the protected resource. + * **Challenge action** – If you specify a token domain list in the protection pack or web ACL, AWS WAF sets the token domain to one that matches the host domain and is the shortest, from among the host domain and the domains in the list. For example, if the host domain is `api.example.com` and the token domain list has `example.com`, AWS WAF uses `example.com` in the token, because it matches the host domain and is shorter. If you don't provide a token domain list in the protection pack or web ACL, AWS WAF sets the domain to the host domain of the protected resource.