- From: Mike West <mkwst@google.com>
- Date: Wed, 23 Apr 2014 14:28:54 +0200
- To: David Saez Padros <david@ols.es>
- Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
- Message-ID: <CAKXHy=fERuf8JXjGEpnd80XuHNjdVdrJtaWWoKyTm-XyhEHkhg@mail.gmail.com>
1. Totally agree that this is not up for consideration in 1.1, which we totally need to close out, and which I am very much behind on because of vacation and other obligations (sorry!). 2. What kinds navigations would you consider "automated redirects"? It seems like we'd need an exhaustive list of navigations that we can agree upon in order to determine whether this sort of directive makes sense for 1.2. 3. What is the threat model that you expect this directive to address? It seems like scripted navigations would be more or less completely subsumed under 'script-src', for example. What can't you cover with current directives that this directive would take care of? -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Wed, Apr 23, 2014 at 11:00 AM, David Saez Padros <david@ols.es> wrote: > Hi > > > We have avoided dealing with navigation up to now, in part because it's >> a big implementation can of worms (lots of ways to trigger a >> navigation), and in part because it could be used maliciously to trap a >> user on a site -- and we already see scam sites that try to do that >> using other browser features. >> > > FF already has a user option to warn on redirects > > > I suppose we could mitigate the bad effects by saying such a directive: >> >> 1) never applies to user choices made through browser UI (back/forward >> buttons, bookmarks, typing urls) >> > > of course, this should be mainly intended for automated redirects > (javascript, meta tag, or maybe even server redirects, but not for user > actions) > > > We've tended to avoid binary directives like "no-script" or >> "no-navigation". something along the lines of "allowed-navigation:" with >> a host list (where 'none' and 'self' are valid options) would fit the >> existing spec better. >> > > sounds better > > > -- > Best regards ... > > ---------------------------------------------------------------- > David Saez > On-Line Services 2000 S.L. > http://www.ols.es > ---------------------------------------------------------------- > > > > >
Received on Wednesday, 23 April 2014 12:29:44 UTC