- From: Mike West <mkwst@google.com>
- Date: Thu, 18 Jul 2013 10:52:43 +0200
- To: Boris Zbarsky <bzbarsky@mit.edu>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Thursday, 18 July 2013 08:53:31 UTC
On Wed, Jul 17, 2013 at 9:24 PM, Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 7/17/13 2:50 PM, Anne van Kesteren wrote: > >> How is this not frame-src? Or is this about top-level? What's the >>>> scenario there? >>>> >>> >>> The scenario is injection causing automagical top-level navigation. >>> That's >>> why `script-src 'unsafe-inline'` seems like a quasi-decent fit, and why >>> `frame-src` doesn't seem relevant enough. *shrug* >>> >> >> I meant the attack scenario. If it's a top-level navigation there's no >> same-origin concern. There would be if it happened inside an <iframe>. >> > > I'm not sure I follow the toplevel-vs-iframe distinction here. Why is > there no same-origin concern with toplevel navigation? Or are we assuming > things like no ability to window.open from inside the frame before > navigating the toplevel? Same-origin or not, it seems valuable to prevent injections from taking actions that the user couldn't anticipate. Injecting a meta tag can cause navigation from a good origin to a bad origin, which makes phishing et al. much simpler, even if the latter doesn't have access to the former. -mike
Received on Thursday, 18 July 2013 08:53:31 UTC