W3C home > Mailing lists > Public > public-web-security@w3.org > February 2011

Re: CSP Directive Proposal: Sandbox

From: Adam Barth <w3c@adambarth.com>
Date: Mon, 21 Feb 2011 11:22:31 -0800
Message-ID: <AANLkTikq=62r-1HbgLw08WGJwSU_EJo+dCRKpCEDLDRG@mail.gmail.com>
To: gaz Heyes <gazheyes@gmail.com>
Cc: public-web-security@w3.org
On Mon, Feb 21, 2011 at 10:58 AM, gaz Heyes <gazheyes@gmail.com> wrote:
> On 21 February 2011 18:48, Adam Barth <w3c@adambarth.com> wrote:
>> Ah, I understand your point.  That's true for some example, but not
>> true in general.  For example, sandbox policies, as defined by HTML5,
>> propagate to subframes.  Although the document with the CSP policy
>> could use something like meta-refresh to circumvent the navigation
>> restrictions, the documents contained in subframes would not be able
>> to do so.
>
> Lets say that web site "A" hosts a CSP policy which by default blocks top
> navigation. They allow to post links. The attacker then posts a link to a
> external domain "B" in that domain the CSP configuration specifies
> allow-top-navigation the attacker can now break out of the top redirect
> restriction for site "A". If the attacker can't do this because the policy
> cannot be overwritten then we have a different problem because the first
> policy can influence policy "B". I think the iframe attribute is the best
> place for this functionality.

Yes, I understand.  However, consider the case where A contains a
frame to B.  Now B cannot navigate A because of A's CSP policy.

Adam
Received on Monday, 21 February 2011 19:23:35 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Monday, 21 February 2011 19:23:35 GMT