W3C home > Mailing lists > Public > public-webappsec@w3.org > September 2015

Re: [CSP2]Is there a directive dealing with the window.opener.location phishing concern?

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 30 Sep 2015 21:22:34 +0000
Message-ID: <CAEeYn8jRA6LghC9G9m2v3M1Ka=d8dovJqEnhnWonCR8wQ9hHxQ@mail.gmail.com>
To: Tanvi Vyas <tanvi@mozilla.com>, Jerry Qu <quguangyu@gmail.com>, Mike West <mkwst@google.com>
Cc: WebAppSec WG <public-webappsec@w3.org>
In the meantime you can use a redirect through your own domain to null out
the window.opener property, or use the handle you get from window.open to
set it to null.

On Wed, Sep 30, 2015 at 12:05 PM Tanvi Vyas <tanvi@mozilla.com> wrote:

> Requiring that no referrer is sent in order to disown the opener is not
> great.  I hope we come up with a better mechanism soon.
>
> Jerry, in the meantime you may consider putting referrer information in a
> query parameter.  Third parties would have to learn about this parameter
> though and update their code.
>
>
> ~Tanvi
>
> On 9/30/15 6:45 AM, Jerry Qu wrote:
>
> Thank you for your reply!
>
> We can not remove the REFERER header to 3rd party web page,
> because of they use the header for Referral Analytics.
>
>
> On Wed, Sep 30, 2015 at 9:37 PM, Mike West <mkwst@google.com> wrote:
>
>> On Wed, Sep 30, 2015 at 2:43 PM, Jerry Qu <quguangyu@gmail.com> wrote:
>>
>>> I have read the CSP2 specs (http://www.w3.org/TR/CSP2/), and I found
>>> there is no directive to block this situation:
>>>
>>> if ( window.opener != null ) {
>>>     window.opener.location.replace('http://www.evil.com');
>>> }
>>>
>>> Our website offer a web search service, we will open target link in a
>>> new tab,
>>> and some 3rd party website website use this script to redirect our page
>>> to an evil page.
>>>
>>> What can I do for this?
>>>
>>
>> Right now, you can open that window with `<a rel="noreferrer"
>> target="_blank">`, which will disown the opener in the new window.
>>
>> This is something we'd like to address in the next iteration of CSP: in
>> the somewhat near future, you can use whatever we come up with to address
>> https://github.com/w3c/webappsec/issues/139.
>>
>> -mike
>>
>
>
>
> --
> 非常感谢~
>
> 屈光宇(ImQuQu.com)
>
>
>
Received on Wednesday, 30 September 2015 21:23:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC