W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: CSP no-external-navigation

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 23 Apr 2014 01:18:48 -0700
Message-ID: <53577768.60807@mozilla.com>
To: David Saez Padros <david@ols.es>, public-webappsec@w3.org
On 4/22/2014 12:40 AM, David Saez Padros wrote:
> here is my vote for no-external-navigation directive, we have
> seen several times malicious code injected in web pages that
> redirect the visitor to pay per click affiliate programs or
> to pages with dangerous code intended to infect the visitor

We have avoided dealing with navigation up to now, in part because it's
a big implementation can of worms (lots of ways to trigger a
navigation), and in part because it could be used maliciously to trap a
user on a site -- and we already see scam sites that try to do that
using other browser features.

I suppose we could mitigate the bad effects by saying such a directive:

1) never applies to user choices made through browser UI (back/forward
buttons, bookmarks, typing urls)

2) a blocked navigation still exits the current page (no trapping) but
instead of going to the forbidden location instead you get something
neutral like a browser warning page or the browser's home page or "New
Tab" equivalent. It's still "broken" behavior but that's OK because the
site was presumably attacked or their CSP is buggy (i.e. broken).

We've tended to avoid binary directives like "no-script" or
"no-navigation". something along the lines of "allowed-navigation:" with
a host list (where 'none' and 'self' are valid options) would fit the
existing spec better.

I definitely would NOT be interested in considering this for 1.1 (let's
finish it up, please!). I'm not convinced such a feature is worth the
implementation effort, but if it's something lots of sites think will
help them I'd be willing to talk about it when we bring up 1.2 proposals.

-Dan Veditz
Received on Wednesday, 23 April 2014 08:19:15 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC