W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: [CSP2]Is there a directive dealing with the window.opener.location phishing concern?

From: Tanvi Vyas <tanvi@mozilla.com>
Date: Wed, 30 Sep 2015 12:03:49 -0700
To: Jerry Qu <quguangyu@gmail.com>, Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
Message-ID: <560C3215.6040307@mozilla.com>
Requiring that no referrer is sent in order to disown the opener is not 
great.  I hope we come up with a better mechanism soon.

Jerry, in the meantime you may consider putting referrer information in 
a query parameter.  Third parties would have to learn about this 
parameter though and update their code.

~Tanvi

On 9/30/15 6:45 AM, Jerry Qu wrote:
> Thank you for your reply!
>
> We can not remove the REFERER header to 3rd party web page,
> because of they use the header for Referral Analytics.
>
>
> On Wed, Sep 30, 2015 at 9:37 PM, Mike West <mkwst@google.com 
> <mailto:mkwst@google.com>> wrote:
>
>     On Wed, Sep 30, 2015 at 2:43 PM, Jerry Qu <quguangyu@gmail.com
>     <mailto:quguangyu@gmail.com>> wrote:
>
>         I have read the CSP2 specs (http://www.w3.org/TR/CSP2/), and I
>         found there is no directive to block this situation:
>
>         if ( window.opener != null ) {
>             window.opener.location.replace('http://www.evil.com');
>         }
>
>         Our website offer a web search service, we will open target
>         link in a new tab,
>         and some 3rd party website website use this script to redirect
>         our page to an evil page.
>
>         What can I do for this?
>
>
>     Right now, you can open that window with `<a rel="noreferrer"
>     target="_blank">`, which will disown the opener in the new window.
>
>     This is something we'd like to address in the next iteration of
>     CSP: in the somewhat near future, you can use whatever we come up
>     with to address https://github.com/w3c/webappsec/issues/139.
>
>     -mike
>
>
>
>
> -- 
> 非常感谢~
>
> 屈光宇(ImQuQu.com)
Received on Wednesday, 30 September 2015 19:04:19 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC