Re: A 'navigation-to' CSP directive

Hi Rob,

I think it fits better as a CSP directive not as part of sandbox. If we are
adding it to sandbox we are saying that it only makes sense as part of
sandbox but I believe there are plenty of situations where this can be used
without sandbox.

Also I believe sandbox currently has only Y/N flags, and this should be a
serialized-source-list and in CSP it would become a sort of directive
inside a directive which can make CSP syntax more complicated.

Regards,
Andy Paicu


On Fri, Dec 1, 2017 at 1:21 PM, Rob van Eijk <rob@blaeu.com> wrote:

> Hi,
>
>
>
> Is the idea to add it as a CSP directive or as a sandbox value?
>
>
>
> I think the idea to implement the enforcement as a sandbox value may makes
> more sense. Since the sandbox directive applies restrictions to the frame
> would a 'navigation-to' sandbox value would prevent loading resources other
> than the one's whitelisted. Absence of the 'navigation-to' sandbox value
> would not enforece a whitelist to the sandboxed iframe.
>
>
>
> Rob
>
>
>
> -----Original message-----
> *From:* Andy Paicu
> *Sent:* Friday, December 1 2017, 12:04 pm
> *To:* public-webappsec@w3.org
> *Subject:* A 'navigation-to' CSP directive
>
> Hello all,
>
> Following the discussions at TPAC I have put together a document
> proposal/explainer around a 'navigation-to' CSP directive.
>
> This directive can help web authors control the top level navigations
> allowed from their page and I have listed some scenarios where such a
> directive could be used.
>
> If you are interested, please have a look and feel free to leave comments.
>
> https://docs.google.com/a/chromium.org/document/d/
> 1eMfw7sSIPtPPs9T3K2C8SfDi3Q7OXRTrRDdkGOLb19M/edit?usp=sharing
>
> Regards,
> Andy Paicu
>
>