W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP: 'no-external-navigation'?

From: Mike West <mkwst@google.com>
Date: Mon, 30 Jun 2014 22:26:05 +0200
Message-ID: <CAKXHy=cBXUDtz6-KBZGqxYfoBPw0MOPxSt+OwyvZ1bF43tHSSw@mail.gmail.com>
To: Michal Zalewski <lcamtuf@coredump.cx>, pamela.fox@gmail.com
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
+Pamela

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)


On Mon, Jun 30, 2014 at 8:45 PM, Michal Zalewski <lcamtuf@coredump.cx>
wrote:

> > We've talked briefly about similar concepts in the past in the context of
> > the next iteration of CSP; at first glance it seems like something that
> > might be useful in narrow use-cases, but that I'm worried will be abused
> to
> > keep folks on pages they don't particularly want to be on (see  what
> > happened with `window.onbeforeunload` modals).
>
> If I read this correctly, the request is to prevent programmatic
> navigation within the CSP-sandboxed frame, not prevent the user from
> relying on bookmarks, manually entered URLs, etc.
>
> That said, I'm not sure this is a very meaningful goal if you're
> otherwise permitting largely unconstrained JS to run on the page (and
> you're using CSP to "sandbox" it) - what would be the goal? Can't the
> JS achieve roughly the same without navigating its own frame away?
>
> /mz
>
Received on Monday, 30 June 2014 20:26:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC