W3C home > Mailing lists > Public > public-webappsec@w3.org > August 2015

[CSP2] How to restrict resources linking to

From: yao zhongxiao <zhongxiao.yzx@gmail.com>
Date: Mon, 31 Aug 2015 17:17:16 +0800
Message-ID: <CAHKtDqdR-6r7056PEyPCLyuwqW7p4AQhCcDFa=q_TOg7EBM1nQ@mail.gmail.com>
To: public-webappsec@w3.org
Cc: mkwst@google.com, w3c@adambarth.com, dveditz@mozilla.com
Sorry if it was out of scope, I am quite new in this mailing list.

I want to seek advice from all of you about the rules to restrict malicious
hyperlink that will be linked to.
There are following ways but not limited to those:
1. <a href="https://www.evil.com/hijacked/Phishing.html">Visit illegal
website</a>
2. <link href="https://www.evil.com/hijacked/Phishing.html"
rel="external">Visit illegal website</a>
3. window.open("https://www.evil.com/hijacked/Phishing.html")

Please let me abstract the above cases and illustrate to the following
senario.
PageA has a hyberlink to PageB, and one of pages is malicious webpage.
If we take roles into consideration, there are two cases.
1. PageA  ---links to---> *PageB
2. *PageA ---links to---> PageB
where "*" indicates the current or protected page, and another is the
restricted page.

As far as I know, referrer directive could be used to constrain the sources
of current page in csp rules [https://w3c.github.io/webappsec/specs/CSP2/].
However, It seems to be incapable of restricting the resources those will
be linked to. That means csp can cover case 1 , but it can not cover case
2. (Am i right ?).

Above all, there are 2 questions as follow:
1. Is there existing solution or working around solutions´╝č
2. Is it possible to add directives for href to provide a easy way to
constrain the resources that will be referred from the current protected
page?


It's my pleasure if I could get reply and make discussion on this topic!

sincerely!

Zhongxiao Yao

China.
Received on Monday, 31 August 2015 09:17:45 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:14 UTC