W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

[CSP2]Is there a directive dealing with the window.opener.location phishing concern?

From: Jerry Qu <quguangyu@gmail.com>
Date: Wed, 30 Sep 2015 20:43:42 +0800
Message-ID: <CAGGh6ww=W4JuZUvgR4c3DVU93_z3PUn0_OS2AJh_N7HkofQ2tA@mail.gmail.com>
To: WebAppSec WG <public-webappsec@w3.org>
hi,

I have read the CSP2 specs (http://www.w3.org/TR/CSP2/), and I found there
is no directive to block this situation:

if ( window.opener != null ) {
    window.opener.location.replace('http://www.evil.com');
}

Our website offer a web search service, we will open target link in a new
tab,
and some 3rd party website website use this script to redirect our page to
an evil page.

What can I do for this?

-- 

Thank you!
https://imququ.com
Received on Wednesday, 30 September 2015 12:44:14 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC