Re: [CSP2] How to restrict resources linking to from Brad Hill on 2015-08-31 (public-webappsec@w3.org from August 2015)

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 31 Aug 2015 16:47:23 +0000
To: yao zhongxiao <zhongxiao.yzx@gmail.com>, public-webappsec@w3.org
Cc: mkwst@google.com, w3c@adambarth.com, dveditz@mozilla.com
Message-ID: <CAEeYn8jyrzFkZzhOP5A1sCm-xbpi7s1i5=Hh5mx_Wuv+s_vfBw@mail.gmail.com>

CSP doesn't prevent any resource from linking to your resource, though your
server might examine an HTTP Referer header (if one is sent) and decline to
provide a response if it doesn't provide an expected value, or the
frame-ancestors directive can be used to restrict display of a resource in
certain embedded contexts, but not generally as part of navigation.

The work slowly moving forward on COWL (http://cowl.ws/) aims to provide
some confinement properties for document environments, but in general we
are very wary of breaking navigation in this way in the browser.

It might help to understand your use cases better.  If a site you want to
block is "illegal" (by which I'll presume it is a phishing site or
distributing malware) wouldn't it make more sense to block navigation
generally using something like Google's SafeBrowsing or Microsoft's
SmartScreen service, instead of having to shoehorn this into a per-resource
policy?  CSP in general is a whitelist, not a blacklist mechanism, and I
presume any list of sites you want to block is potentially unbounded.

-Brad

On Mon, Aug 31, 2015 at 2:19 AM yao zhongxiao <zhongxiao.yzx@gmail.com>
wrote:

> Sorry if it was out of scope, I am quite new in this mailing list.
>
> I want to seek advice from all of you about the rules to restrict
> malicious hyperlink that will be linked to.
> There are following ways but not limited to those:
> 1. <a href="https://www.evil.com/hijacked/Phishing.html">Visit illegal
> website</a>
> 2. <link href="https://www.evil.com/hijacked/Phishing.html"
> rel="external">Visit illegal website</a>
> 3. window.open("https://www.evil.com/hijacked/Phishing.html")
>
> Please let me abstract the above cases and illustrate to the following
> senario.
> PageA has a hyberlink to PageB, and one of pages is malicious webpage.
> If we take roles into consideration, there are two cases.
> 1. PageA  ---links to---> *PageB
> 2. *PageA ---links to---> PageB
> where "*" indicates the current or protected page, and another is the
> restricted page.
>
> As far as I know, referrer directive could be used to constrain the
> sources of current page in csp rules [
> https://w3c.github.io/webappsec/specs/CSP2/].
> However, It seems to be incapable of restricting the resources those will
> be linked to. That means csp can cover case 1 , but it can not cover case
> 2. (Am i right ?).
>
> Above all, there are 2 questions as follow:
> 1. Is there existing solution or working around solutions？
> 2. Is it possible to add directives for href to provide a easy way to
> constrain the resources that will be referred from the current protected
> page?
>
>
> It's my pleasure if I could get reply and make discussion on this topic!
>
> sincerely!
>
> Zhongxiao Yao
>
> China.
>

Received on Monday, 31 August 2015 16:48:03 UTC