- From: David Saez Padros <david@ols.es>
- Date: Wed, 23 Apr 2014 11:00:27 +0200
- To: Daniel Veditz <dveditz@mozilla.com>, public-webappsec@w3.org
Hi
> We have avoided dealing with navigation up to now, in part because it's
> a big implementation can of worms (lots of ways to trigger a
> navigation), and in part because it could be used maliciously to trap a
> user on a site -- and we already see scam sites that try to do that
> using other browser features.
FF already has a user option to warn on redirects
> I suppose we could mitigate the bad effects by saying such a directive:
>
> 1) never applies to user choices made through browser UI (back/forward
> buttons, bookmarks, typing urls)
of course, this should be mainly intended for automated redirects
(javascript, meta tag, or maybe even server redirects, but not for user
actions)
> We've tended to avoid binary directives like "no-script" or
> "no-navigation". something along the lines of "allowed-navigation:" with
> a host list (where 'none' and 'self' are valid options) would fit the
> existing spec better.
sounds better
--
Best regards ...
----------------------------------------------------------------
David Saez
On-Line Services 2000 S.L.
http://www.ols.es
----------------------------------------------------------------
Received on Wednesday, 23 April 2014 09:28:50 UTC