- From: Mike West <mkwst@google.com>
- Date: Mon, 30 Jun 2014 22:26:05 +0200
- To: Michal Zalewski <lcamtuf@coredump.cx>, pamela.fox@gmail.com
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 30 June 2014 20:26:54 UTC
+Pamela -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Mon, Jun 30, 2014 at 8:45 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote: > > We've talked briefly about similar concepts in the past in the context of > > the next iteration of CSP; at first glance it seems like something that > > might be useful in narrow use-cases, but that I'm worried will be abused > to > > keep folks on pages they don't particularly want to be on (see what > > happened with `window.onbeforeunload` modals). > > If I read this correctly, the request is to prevent programmatic > navigation within the CSP-sandboxed frame, not prevent the user from > relying on bookmarks, manually entered URLs, etc. > > That said, I'm not sure this is a very meaningful goal if you're > otherwise permitting largely unconstrained JS to run on the page (and > you're using CSP to "sandbox" it) - what would be the goal? Can't the > JS achieve roughly the same without navigating its own frame away? > > /mz >
Received on Monday, 30 June 2014 20:26:54 UTC