W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: Frame Ancestors and Referrer (Re: [webappsec] Call for Consensus: Stop work on Content Security Policy 1.0, transition to WG Note)

From: Mike West <mkwst@google.com>
Date: Mon, 27 Oct 2014 10:52:19 +0100
Message-ID: <CAKXHy=dxy8Xat1R-8k8NoZOy7zh+KE7FOT6EVK_ELX+a4tB7XA@mail.gmail.com>
To: Sean Snider <ssnider@yahoo-inc.com>
Cc: Devdatta Akhawe <dev.akhawe@gmail.com>, Michal Zalewski <lcamtuf@coredump.cx>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Sat, Oct 25, 2014 at 2:37 AM, Sean Snider <ssnider@yahoo-inc.com> wrote:

> Actually in that case, you don't lose the referrer. . . data URI, or
> about:blank inherit the referrer of the parent if nothing
> is there (at least for document.referrer).  And also even if it didn't,
> you'd get a blank referrer, in which case in my example,
> goodguys.org would just take action and not do anything or nuke
> themselves or whatever. . .

At least in Chrome, that's not the case. See http://jsbin.com/jalalazedi/1/
for example.

I was wondering if instead of white list of URIs/origins, it might be valid
> to specify the level that
> you are expected to be nested or allowed to be nested. . . and you could
> even do that with URIs as well.
> Certainly there are cases where you only ever want to have your content in
> an IFRAME if it's a direct
> child of someone else. I think we can save that for the next round of CSP
> though. . .

Seems like a reasonable thing to think about. Filed
https://www.w3.org/2011/webappsec/track/actions/192 so we don't forget it.

But back to referrer. . . what's the valid use-case for "none"?  Is it
> really just about data-leakage?  If that's
> the case, they I'd argue strongly against none, and just allow stripping
> down.  Rarely do hostname and scheme
> contain sensitive information, and in that case. . .really the site itself
> should be setup differently :P
> At the moment, my recommendation is to remove none from CSP 2.0 candidate.
> . . but let's hear the thoughts. . .

What's the justification for anything other than 'none'? Shouldn't we have
to justify information leakage, rather than justifying not leaking data
about user activity on the web?

The fact that portions of the web depend on getting referrer information in
order to make security decisions is unfortunate, and makes it difficult for
us to change the default, but shouldn't be accepted as an argument for
denying sites the opportunity to choose something other than the status quo.

Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 27 October 2014 09:53:10 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC