- From: <sird@rckc.at>
- Date: Mon, 21 Feb 2011 11:21:34 -0800
- To: gaz Heyes <gazheyes@gmail.com>
- Cc: Adam Barth <w3c@adambarth.com>, public-web-security@w3.org
Would be cool if we had a "disallow-navigation" rule which disallow's the user to navigate to any links. -- Eduardo On Mon, Feb 21, 2011 at 10:58 AM, gaz Heyes <gazheyes@gmail.com> wrote: > On 21 February 2011 18:48, Adam Barth <w3c@adambarth.com> wrote: >> >> Ah, I understand your point. That's true for some example, but not >> true in general. For example, sandbox policies, as defined by HTML5, >> propagate to subframes. Although the document with the CSP policy >> could use something like meta-refresh to circumvent the navigation >> restrictions, the documents contained in subframes would not be able >> to do so. > > Lets say that web site "A" hosts a CSP policy which by default blocks top > navigation. They allow to post links. The attacker then posts a link to a > external domain "B" in that domain the CSP configuration specifies > allow-top-navigation the attacker can now break out of the top redirect > restriction for site "A". If the attacker can't do this because the policy > cannot be overwritten then we have a different problem because the first > policy can influence policy "B". I think the iframe attribute is the best > place for this functionality. >
Received on Monday, 21 February 2011 19:22:27 UTC