Re: [CSP2] Preventing page navigation to untrusted sources

On Tue, Apr 28, 2015 at 10:11 PM, Brad Hill <hillbrad@gmail.com> wrote:

> <hat=individual>
> Good points. I don't imagine we'd ever allow such a policy to prevent
> using, e.g the built-in back buttons or closing the tab.  (Not that back
> always helps in a long redirect chain, but that's an issue we have to deal
> with today independent of any such directive)
>

​Yes, I did not mean to preclude the user manually using the "back"
button--that should function as a user expects. I just meant that an
interstitial type page (if a user agent even decides that's the appropriate
response to a navigation violation) should not encourage the user to return
to the protected resource as a default action. We know that either the page
was compromised or it is abusing CSP to keep visitors from leaving.​


-
​Dan Veditz​

Received on Wednesday, 29 April 2015 08:56:31 UTC