- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Wed, 17 Jul 2013 10:04:40 -0700
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Jul 16, 2013 at 1:46 PM, Mike West <mkwst@google.com> wrote: > #1: Prerendering/prefetching: Injecting `<link id=1 rel="prerender" > href="http://example.com/">` can cause a credential request to be made on a > user's behalf. The author suggests that `connect-src` should control this > behavior: I think I agree, even though it's not a perfect fit. Isn't frame-src closer? > #2: `<meta refresh>`: Injecting a meta tag that refreshes to a data URL can > cause script to execute. It won't be same-origin with the page into which it > was injected, but depending on the script, it could be a phishing vector, > etc. This doesn't really fit any of the directives (`form-action` is > closest), but it certainly doesn't seem worthwhile to add a `meta-action` > directive. I could see it falling under the 'unsafe-inline' bits of > `script-src`, I suppose (weakly hanging my hat on "The directive also > controls other resources, such as XSLT style sheets [XSLT], which can cause > the user agent to execute script."). Suggestions would be appreciated. How is this not frame-src? Or is this about top-level? What's the scenario there? -- http://annevankesteren.nl/
Received on Wednesday, 17 July 2013 17:05:07 UTC