Re: CSP no-external-navigation

Hi

> We have avoided dealing with navigation up to now, in part because it's
> a big implementation can of worms (lots of ways to trigger a
> navigation), and in part because it could be used maliciously to trap a
> user on a site -- and we already see scam sites that try to do that
> using other browser features.

FF already has a user option to warn on redirects

> I suppose we could mitigate the bad effects by saying such a directive:
>
> 1) never applies to user choices made through browser UI (back/forward
> buttons, bookmarks, typing urls)

of course, this should be mainly intended for automated redirects
(javascript, meta tag, or maybe even server redirects, but not for user
actions)

> We've tended to avoid binary directives like "no-script" or
> "no-navigation". something along the lines of "allowed-navigation:" with
> a host list (where 'none' and 'self' are valid options) would fit the
> existing spec better.

sounds better

-- 
Best regards ...

----------------------------------------------------------------
    David Saez
    On-Line Services 2000 S.L.
    http://www.ols.es
----------------------------------------------------------------

Received on Wednesday, 23 April 2014 09:28:50 UTC