Re: CSP: 'no-external-navigation'? from Michal Zalewski on 2014-06-30 (public-webappsec@w3.org from June 2014)

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Mon, 30 Jun 2014 11:45:58 -0700
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CALx_OUAZCoXh2ZQ=kmEM-6gxRBvsfRc1=ySFRaOxzPmbNVJ7vQ@mail.gmail.com>

> We've talked briefly about similar concepts in the past in the context of
> the next iteration of CSP; at first glance it seems like something that
> might be useful in narrow use-cases, but that I'm worried will be abused to
> keep folks on pages they don't particularly want to be on (see  what
> happened with `window.onbeforeunload` modals).

If I read this correctly, the request is to prevent programmatic
navigation within the CSP-sandboxed frame, not prevent the user from
relying on bookmarks, manually entered URLs, etc.

That said, I'm not sure this is a very meaningful goal if you're
otherwise permitting largely unconstrained JS to run on the page (and
you're using CSP to "sandbox" it) - what would be the goal? Can't the
JS achieve roughly the same without navigating its own frame away?

/mz

Received on Monday, 30 June 2014 18:46:45 UTC