- From: David Saez Padros <david@ols.es>
- Date: Wed, 23 Apr 2014 11:00:27 +0200
- To: Daniel Veditz <dveditz@mozilla.com>, public-webappsec@w3.org
Hi > We have avoided dealing with navigation up to now, in part because it's > a big implementation can of worms (lots of ways to trigger a > navigation), and in part because it could be used maliciously to trap a > user on a site -- and we already see scam sites that try to do that > using other browser features. FF already has a user option to warn on redirects > I suppose we could mitigate the bad effects by saying such a directive: > > 1) never applies to user choices made through browser UI (back/forward > buttons, bookmarks, typing urls) of course, this should be mainly intended for automated redirects (javascript, meta tag, or maybe even server redirects, but not for user actions) > We've tended to avoid binary directives like "no-script" or > "no-navigation". something along the lines of "allowed-navigation:" with > a host list (where 'none' and 'self' are valid options) would fit the > existing spec better. sounds better -- Best regards ... ---------------------------------------------------------------- David Saez On-Line Services 2000 S.L. http://www.ols.es ----------------------------------------------------------------
Received on Wednesday, 23 April 2014 09:28:50 UTC