W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: CSP no-external-navigation

From: Mike West <mkwst@google.com>
Date: Wed, 23 Apr 2014 14:28:54 +0200
Message-ID: <CAKXHy=fERuf8JXjGEpnd80XuHNjdVdrJtaWWoKyTm-XyhEHkhg@mail.gmail.com>
To: David Saez Padros <david@ols.es>
Cc: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
1. Totally agree that this is not up for consideration in 1.1, which we
totally need to close out, and which I am very much behind on because of
vacation and other obligations (sorry!).

2. What kinds navigations would you consider "automated redirects"? It
seems like we'd need an exhaustive list of navigations that we can agree
upon in order to determine whether this sort of directive makes sense for
1.2.

3. What is the threat model that you expect this directive to address? It
seems like scripted navigations would be more or less completely subsumed
under 'script-src', for example. What can't you cover with current
directives that this directive would take care of?

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Wed, Apr 23, 2014 at 11:00 AM, David Saez Padros <david@ols.es> wrote:

> Hi
>
>
>  We have avoided dealing with navigation up to now, in part because it's
>> a big implementation can of worms (lots of ways to trigger a
>> navigation), and in part because it could be used maliciously to trap a
>> user on a site -- and we already see scam sites that try to do that
>> using other browser features.
>>
>
> FF already has a user option to warn on redirects
>
>
>  I suppose we could mitigate the bad effects by saying such a directive:
>>
>> 1) never applies to user choices made through browser UI (back/forward
>> buttons, bookmarks, typing urls)
>>
>
> of course, this should be mainly intended for automated redirects
> (javascript, meta tag, or maybe even server redirects, but not for user
> actions)
>
>
>  We've tended to avoid binary directives like "no-script" or
>> "no-navigation". something along the lines of "allowed-navigation:" with
>> a host list (where 'none' and 'self' are valid options) would fit the
>> existing spec better.
>>
>
> sounds better
>
>
> --
> Best regards ...
>
> ----------------------------------------------------------------
>    David Saez
>    On-Line Services 2000 S.L.
>    http://www.ols.es
> ----------------------------------------------------------------
>
>
>
>
>
Received on Wednesday, 23 April 2014 12:29:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC