W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

[CSP2] browser behavior on frame-ancestors violation through previous iframe content navigation

From: <fredericdelaporte@free.fr>
Date: Fri, 4 Sep 2015 23:50:15 +0200 (CEST)
To: public-webappsec@w3.org
Message-ID: <1664649448.27692697.1441403415807.JavaMail.root@zimbra60-e10.priv.proxad.net>
Hi,

Let have a page A iframing a page B, which contain a simple link (a href) to a page C.
Let CSP frame-ancestors allow framing of B in A, but disallow framing of C in A.

Browsing A, what should be a sound browser behavior when clicking link to C?

Current Chrome and Firefox behavior seems to be 'abort navigation', without any UI message.
This seems in accordance to navigate spec ( http://www.w3.org/TR/html5/browsers.html#navigate ).

My issue here is about CSP used for preventing clickjacking on sensitive pages (the C one), while allowing framing on other pages (the B one).

Not telling anything to the user as for why the navigation got canceled seems to me as detrimental to the user experience and B site reputation in this use case. Current behavior cause the B page to look broken, without much solution as far as I know if A page (potentially from some malevolent site) sandbox the iframe to forbid top navigation.

The navigate spec allows to navigate to a new top window instead, but this is not current choice of Chrome and Firefox for the specific case of frame-ancestors. While for some other cases, it is. (In Chrome, if A forbid top navigation on iframe, a link in B with target="_top" does navigate to a new top window.)

May the spec for frame-ancestors give some specific recommendations on browser UI behavior on violations, like favoring the navigation to a new top window?

Regards,

Frédéric
Received on Monday, 7 September 2015 12:33:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC