W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2014

Re: CSP no-external-navigation

From: David Saez Padros <david@ols.es>
Date: Wed, 23 Apr 2014 17:20:26 +0200
Message-ID: <5357DA3A.8040303@ols.es>
To: Mike West <mkwst@google.com>
CC: Daniel Veditz <dveditz@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Hi

> 2. What kinds navigations would you consider "automated redirects"?

mainly window.location and meta http-equiv="refresh", server 3xx
rediretcs  and any other scripted redirect (not sure if java, flash
or similar can make redirects)

> It
> seems like we'd need an exhaustive list of navigations that we can agree
> upon in order to determine whether this sort of directive makes sense
> for 1.2.

maybe it will be better to define those redirects as any non human
initiated redirect

> 3. What is the threat model that you expect this directive to address?

we have seen several malicious code injected in web pages that
redirect the visitors to pay per click affiliate programs or
to pages with dangerous code intended to infect the visitor, please
note that this does not only use eval or inline scripting but can
also infects server js files or add meta refresh tags

> It seems like scripted navigations would be more or less completely
> subsumed under 'script-src', for example. What can't you cover with
> current directives that this directive would take care of?

i cannot see any way to forbid redirects in CSP 1.1 script-src, at least
in http://www.w3.org/TR/CSP11/#script-src


> --
> Mike West <mkwst@google.com <mailto:mkwst@google.com>>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
>
> On Wed, Apr 23, 2014 at 11:00 AM, David Saez Padros <david@ols.es
> <mailto:david@ols.es>> wrote:
>
>     Hi
>
>
>         We have avoided dealing with navigation up to now, in part
>         because it's
>         a big implementation can of worms (lots of ways to trigger a
>         navigation), and in part because it could be used maliciously to
>         trap a
>         user on a site -- and we already see scam sites that try to do that
>         using other browser features.
>
>
>     FF already has a user option to warn on redirects
>
>
>         I suppose we could mitigate the bad effects by saying such a
>         directive:
>
>         1) never applies to user choices made through browser UI
>         (back/forward
>         buttons, bookmarks, typing urls)
>
>
>     of course, this should be mainly intended for automated redirects
>     (javascript, meta tag, or maybe even server redirects, but not for user
>     actions)
>
>
>         We've tended to avoid binary directives like "no-script" or
>         "no-navigation". something along the lines of
>         "allowed-navigation:" with
>         a host list (where 'none' and 'self' are valid options) would
>         fit the
>         existing spec better.
>
>
>     sounds better


-- 
Salu-2 y hasta pronto ...

----------------------------------------------------------------
    David Saez
    On-Line Services 2000 S.L.
    http://www.ols.es
----------------------------------------------------------------
Received on Wednesday, 23 April 2014 15:31:07 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC