W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [CSP2] Preventing page navigation to untrusted sources

From: Daniel Veditz <dveditz@mozilla.com>
Date: Wed, 29 Apr 2015 01:56:03 -0700
Message-ID: <CADYDTCDYOpkmRwjCviW7=YYJggi93JSj70xrJOfxcuEogsJhbA@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: David Mulder <david.mulder@ymail.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Tue, Apr 28, 2015 at 10:11 PM, Brad Hill <hillbrad@gmail.com> wrote:

> <hat=individual>
> Good points. I don't imagine we'd ever allow such a policy to prevent
> using, e.g the built-in back buttons or closing the tab.  (Not that back
> always helps in a long redirect chain, but that's an issue we have to deal
> with today independent of any such directive)
>

​Yes, I did not mean to preclude the user manually using the "back"
button--that should function as a user expects. I just meant that an
interstitial type page (if a user agent even decides that's the appropriate
response to a navigation violation) should not encourage the user to return
to the protected resource as a default action. We know that either the page
was compromised or it is abusing CSP to keep visitors from leaving.​


-
​Dan Veditz​
Received on Wednesday, 29 April 2015 08:56:31 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC