Re: CSP Directive Proposal: Sandbox from gaz Heyes on 2011-02-21 (public-web-security@w3.org from February 2011)

From: gaz Heyes <gazheyes@gmail.com>
Date: Mon, 21 Feb 2011 18:58:46 +0000
To: Adam Barth <w3c@adambarth.com>
Cc: public-web-security@w3.org
Message-ID: <AANLkTi=+g3VrN=bZbNajyX49Q0ZcxXTD8XZmivrBZjpv@mail.gmail.com>

On 21 February 2011 18:48, Adam Barth <w3c@adambarth.com> wrote:

> Ah, I understand your point.  That's true for some example, but not
> true in general.  For example, sandbox policies, as defined by HTML5,
> propagate to subframes.  Although the document with the CSP policy
> could use something like meta-refresh to circumvent the navigation
> restrictions, the documents contained in subframes would not be able
> to do so.
>

Lets say that web site "A" hosts a CSP policy which by default blocks top
navigation. They allow to post links. The attacker then posts a link to a
external domain "B" in that domain the CSP configuration specifies
allow-top-navigation the attacker can now break out of the top redirect
restriction for site "A". If the attacker can't do this because the policy
cannot be overwritten then we have a different problem because the first
policy can influence policy "B". I think the iframe attribute is the best
place for this functionality.

Received on Monday, 21 February 2011 18:59:18 UTC