- From: Daniel Veditz <dveditz@mozilla.com>
- Date: Wed, 23 Apr 2014 01:18:48 -0700
- To: David Saez Padros <david@ols.es>, public-webappsec@w3.org
On 4/22/2014 12:40 AM, David Saez Padros wrote: > here is my vote for no-external-navigation directive, we have > seen several times malicious code injected in web pages that > redirect the visitor to pay per click affiliate programs or > to pages with dangerous code intended to infect the visitor We have avoided dealing with navigation up to now, in part because it's a big implementation can of worms (lots of ways to trigger a navigation), and in part because it could be used maliciously to trap a user on a site -- and we already see scam sites that try to do that using other browser features. I suppose we could mitigate the bad effects by saying such a directive: 1) never applies to user choices made through browser UI (back/forward buttons, bookmarks, typing urls) 2) a blocked navigation still exits the current page (no trapping) but instead of going to the forbidden location instead you get something neutral like a browser warning page or the browser's home page or "New Tab" equivalent. It's still "broken" behavior but that's OK because the site was presumably attacked or their CSP is buggy (i.e. broken). We've tended to avoid binary directives like "no-script" or "no-navigation". something along the lines of "allowed-navigation:" with a host list (where 'none' and 'self' are valid options) would fit the existing spec better. I definitely would NOT be interested in considering this for 1.1 (let's finish it up, please!). I'm not convinced such a feature is worth the implementation effort, but if it's something lots of sites think will help them I'd be willing to talk about it when we bring up 1.2 proposals. -Dan Veditz
Received on Wednesday, 23 April 2014 08:19:15 UTC