W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: CSP no-external-navigation

From: David Saez Padros <david@ols.es>
Date: Wed, 23 Apr 2014 11:00:27 +0200
Message-ID: <5357812B.20702@ols.es>
To: Daniel Veditz <dveditz@mozilla.com>, public-webappsec@w3.org
Hi

> We have avoided dealing with navigation up to now, in part because it's
> a big implementation can of worms (lots of ways to trigger a
> navigation), and in part because it could be used maliciously to trap a
> user on a site -- and we already see scam sites that try to do that
> using other browser features.

FF already has a user option to warn on redirects

> I suppose we could mitigate the bad effects by saying such a directive:
>
> 1) never applies to user choices made through browser UI (back/forward
> buttons, bookmarks, typing urls)

of course, this should be mainly intended for automated redirects
(javascript, meta tag, or maybe even server redirects, but not for user
actions)

> We've tended to avoid binary directives like "no-script" or
> "no-navigation". something along the lines of "allowed-navigation:" with
> a host list (where 'none' and 'self' are valid options) would fit the
> existing spec better.

sounds better

-- 
Best regards ...

----------------------------------------------------------------
    David Saez
    On-Line Services 2000 S.L.
    http://www.ols.es
----------------------------------------------------------------
Received on Wednesday, 23 April 2014 09:28:50 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC