- From: yao zhongxiao <zhongxiao.yzx@gmail.com>
- Date: Mon, 31 Aug 2015 17:17:16 +0800
- To: public-webappsec@w3.org
- Cc: mkwst@google.com, w3c@adambarth.com, dveditz@mozilla.com
- Message-ID: <CAHKtDqdR-6r7056PEyPCLyuwqW7p4AQhCcDFa=q_TOg7EBM1nQ@mail.gmail.com>
Sorry if it was out of scope, I am quite new in this mailing list.
I want to seek advice from all of you about the rules to restrict malicious
hyperlink that will be linked to.
There are following ways but not limited to those:
1. <a href="https://www.evil.com/hijacked/Phishing.html">Visit illegal
website</a>
2. <link href="https://www.evil.com/hijacked/Phishing.html"
rel="external">Visit illegal website</a>
3. window.open("https://www.evil.com/hijacked/Phishing.html")
Please let me abstract the above cases and illustrate to the following
senario.
PageA has a hyberlink to PageB, and one of pages is malicious webpage.
If we take roles into consideration, there are two cases.
1. PageA ---links to---> *PageB
2. *PageA ---links to---> PageB
where "*" indicates the current or protected page, and another is the
restricted page.
As far as I know, referrer directive could be used to constrain the sources
of current page in csp rules [https://w3c.github.io/webappsec/specs/CSP2/].
However, It seems to be incapable of restricting the resources those will
be linked to. That means csp can cover case 1 , but it can not cover case
2. (Am i right ?).
Above all, there are 2 questions as follow:
1. Is there existing solution or working around solutions?
2. Is it possible to add directives for href to provide a easy way to
constrain the resources that will be referred from the current protected
page?
It's my pleasure if I could get reply and make discussion on this topic!
sincerely!
Zhongxiao Yao
China.
Received on Monday, 31 August 2015 09:17:45 UTC