webappsec-ISSUE-56 (child src navigation): Should we restrict subsequent navigation within child-src? [CSP 1.1] from Web Application Security Working Group Issue Tracker on 2014-01-14 (public-webappsec@w3.org from January 2014)

From: Web Application Security Working Group Issue Tracker <sysbot+tracker@w3.org>
Date: Tue, 14 Jan 2014 22:36:12 +0000
To: public-webappsec@w3.org
Message-Id: <E1W3Cai-0000HZ-H7@stuart.w3.org>

webappsec-ISSUE-56 (child src navigation): Should we restrict subsequent navigation within child-src? [CSP 1.1]

http://www.w3.org/2011/webappsec/track/issues/56

Raised by: Brad Hill
On product: CSP 1.1

We use CSP to govern creation of child browsing contexts of various types.  It makes sense to prevent inline content from creating such links, or from navigating a sub-context itself.  

Does it make sense to prevent the new context from navigating itself?  This is a bit odd, not sure what threats it protects against, and creates some information leakage risks:

http://homakov.blogspot.com/2014/01/using-content-security-policy-for-evil.html

Could we say that frame-src and similar govern only the initial value and parent navigation of the frame, not its own self-navigation?

Received on Tuesday, 14 January 2014 22:36:13 UTC