Re: CSP: 'no-external-navigation'?

> I think it's both. If we can prevent the exfiltration of data, we can also
> prevent phishing attacks.

Well, not per se - you still allow scripts that may ask the users for
their credentials and such; you're just hoping that they won't be able
to hand these over to a remote server or other document, right?

Unfortunately, the latter, I think, is probably ~impossible :-(
postMessage() is just one example, but there is a multitude of ways
that JavaScript in a sandbox can communicate with the outside world
without navigation or direct requests; for example, it's fairly
straightforward to relay messages by modulating CPU load, by putting
them in window.name or similar places, etc. There have been quite a
few academic papers that hinged on the assumption that such side
channels do not exist or can be suppressed reliably, but I haven't seen
anything that would seem realistic, TBH :-(

( In fact, the earliest experiment back in Netscape Navigator days is
probably http://docstore.mik.ua/orelly/web/jscript/ch20_04.html )

/mz

Received on Monday, 7 July 2014 04:57:15 UTC