W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2014

webappsec-ISSUE-56 (child src navigation): Should we restrict subsequent navigation within child-src? [CSP 1.1]

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 14 Jan 2014 22:36:12 +0000
Message-Id: <E1W3Cai-0000HZ-H7@stuart.w3.org>
To: public-webappsec@w3.org
webappsec-ISSUE-56 (child src navigation): Should we restrict subsequent navigation within child-src? [CSP 1.1]

http://www.w3.org/2011/webappsec/track/issues/56

Raised by: Brad Hill
On product: CSP 1.1

We use CSP to govern creation of child browsing contexts of various types.  It makes sense to prevent inline content from creating such links, or from navigating a sub-context itself.  

Does it make sense to prevent the new context from navigating itself?  This is a bit odd, not sure what threats it protects against, and creates some information leakage risks:

http://homakov.blogspot.com/2014/01/using-content-security-policy-for-evil.html

Could we say that frame-src and similar govern only the initial value and parent navigation of the frame, not its own self-navigation?
Received on Tuesday, 14 January 2014 22:36:13 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC