W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2014

Re: CSP: 'no-external-navigation'?

From: Michal Zalewski <lcamtuf@coredump.cx>
Date: Mon, 30 Jun 2014 16:10:47 -0700
Message-ID: <CALx_OUBV-uv3jJLxwREchaH7O14cVycYfo6J8QAKjsfReCmU7w@mail.gmail.com>
To: pamela fox <pamela.fox@gmail.com>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
> The concerning aspect of this is that it can be used for something like
> phishing attacks, to solicit and store user info.

So as I understand it, you're not trying to prevent phishing as such,
but want to prevent the exfiltration of data by making an outgoing
request?

I'm not sure this is something that CSP really solves (I think the
early Mozilla drafts might have aimed for something along these
lines). For most part, CSP doesn't really prevent already-running
JavaScript from using window.postMessage() to relay the data to
another window, etc.
Received on Monday, 30 June 2014 23:11:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:05 UTC