W3C home > Mailing lists > Public > public-css-archive@w3.org > December 2018

Re: [csswg-drafts] [css-nav-1] hostile iframes (#3390)

From: Florian Rivoal via GitHub <sysbot+gh@w3.org>
Date: Mon, 03 Dec 2018 07:57:59 +0000
To: public-css-archive@w3.org
Message-ID: <issue_comment.created-443620288-1543823878-sysbot+gh@w3.org>
---

Migrated from https://github.com/WICG/spatial-navigation/issues/58#issuecomment-395594854
Originally created by @Malvoz on *Thu, 07 Jun 2018 23:14:35 GMT*

---
This could be a [feature policy](https://wicg.github.io/feature-policy/), e.g:

`allow` attribute:
 `<iframe src="https://example.com" allow="spatnav">`

or in a header field:
`Feature-Policy: spatnav 'self' https://example.com;`

Alternatively spatnav could be enabled by default for all sources in CSP's [`frame-src`](https://www.w3.org/TR/CSP/#directive-frame-src) (and [`object-src`](https://www.w3.org/TR/CSP/#directive-object-src)) _fetch_ directives? But that would limit control of trusted sources to only `iframe` and `object` respectively. There is the drafted [`navigate-to`](https://w3c.github.io/webappsec-csp/#directive-navigate-to) _navigation_ directive, but I'm not totally sure how that works. 

And although CSP is good practice, it would force developers to enable CSP to provide spatial navigation for iframed content. Which probably isn't ideal?

-- 
GitHub Notification of comment by frivoal
Please view or discuss this issue at https://github.com/w3c/csswg-drafts/issues/3390#issuecomment-443620288 using your GitHub account
Received on Monday, 3 December 2018 07:58:01 UTC

This archive was generated by hypermail 2.4.0 : Tuesday, 5 July 2022 06:41:40 UTC