W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: [CSP2]Is there a directive dealing with the window.opener.location phishing concern?

From: Mike West <mkwst@google.com>
Date: Wed, 30 Sep 2015 15:37:11 +0200
Message-ID: <CAKXHy=cZdH8Oqe9bVSXXJ352nLqogwsJtMuAUvUdEETqe3u30A@mail.gmail.com>
To: Jerry Qu <quguangyu@gmail.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
On Wed, Sep 30, 2015 at 2:43 PM, Jerry Qu <quguangyu@gmail.com> wrote:

> I have read the CSP2 specs (http://www.w3.org/TR/CSP2/), and I found
> there is no directive to block this situation:
>
> if ( window.opener != null ) {
>     window.opener.location.replace('http://www.evil.com');
> }
>
> Our website offer a web search service, we will open target link in a new
> tab,
> and some 3rd party website website use this script to redirect our page to
> an evil page.
>
> What can I do for this?
>

Right now, you can open that window with `<a rel="noreferrer"
target="_blank">`, which will disown the opener in the new window.

This is something we'd like to address in the next iteration of CSP: in the
somewhat near future, you can use whatever we come up with to address
https://github.com/w3c/webappsec/issues/139.

-mike
Received on Wednesday, 30 September 2015 13:38:00 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC