Re: CSP: 'no-external-navigation'?

> The concerning aspect of this is that it can be used for something like
> phishing attacks, to solicit and store user info.

So as I understand it, you're not trying to prevent phishing as such,
but want to prevent the exfiltration of data by making an outgoing

I'm not sure this is something that CSP really solves (I think the
early Mozilla drafts might have aimed for something along these
lines). For most part, CSP doesn't really prevent already-running
JavaScript from using window.postMessage() to relay the data to
another window, etc.

Received on Monday, 30 June 2014 23:11:37 UTC