W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: [CSP2]Is there a directive dealing with the window.opener.location phishing concern?

From: Jerry Qu <quguangyu@gmail.com>
Date: Wed, 30 Sep 2015 21:45:13 +0800
Message-ID: <CAGGh6wxME=e0qN3S5_8fxR5NxjEByJ9CJGdeB+hpLZWNJgM93Q@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Thank you for your reply!

We can not remove the REFERER header to 3rd party web page,
because of they use the header for Referral Analytics.


On Wed, Sep 30, 2015 at 9:37 PM, Mike West <mkwst@google.com> wrote:

> On Wed, Sep 30, 2015 at 2:43 PM, Jerry Qu <quguangyu@gmail.com> wrote:
>
>> I have read the CSP2 specs (http://www.w3.org/TR/CSP2/), and I found
>> there is no directive to block this situation:
>>
>> if ( window.opener != null ) {
>>     window.opener.location.replace('http://www.evil.com');
>> }
>>
>> Our website offer a web search service, we will open target link in a new
>> tab,
>> and some 3rd party website website use this script to redirect our page
>> to an evil page.
>>
>> What can I do for this?
>>
>
> Right now, you can open that window with `<a rel="noreferrer"
> target="_blank">`, which will disown the opener in the new window.
>
> This is something we'd like to address in the next iteration of CSP: in
> the somewhat near future, you can use whatever we come up with to address
> https://github.com/w3c/webappsec/issues/139.
>
> -mike
>



-- 
非常感谢~

屈光宇(ImQuQu.com)
Received on Wednesday, 30 September 2015 13:45:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC