RE: A 'navigation-to' CSP directive from Rob van Eijk on 2017-12-01 (public-webappsec@w3.org from December 2017)

From: Rob van Eijk <rob@blaeu.com>
Date: Fri, 1 Dec 2017 12:21:11 +0000
To: Andy Paicu <andypaicu@chromium.org>, public-webappsec@w3.org <public-webappsec@w3.org>, mkwst@google.com <mkwst@google.com>
Message-ID: <010201601206024a-43c112ae-52b7-474f-8428-56f469d31d87-000000@eu-west-1.amazonse>

Hi,

 
Is the idea to add it as a CSP directive or as a sandbox value?

 
I think the idea to implement the enforcement as a sandbox value may makes more sense. Since the sandbox directive applies restrictions to the frame would a 'navigation-to' sandbox value would prevent loading resources other than the one's whitelisted. Absence of the 'navigation-to' sandbox value would not enforece a whitelist to the sandboxed iframe.

 
Rob

 
-----Original message-----
From: Andy Paicu
Sent: Friday, December 1 2017, 12:04 pm
To: public-webappsec@w3.org
Subject: A 'navigation-to' CSP directive

Hello all,
 Following the discussions at TPAC I have put together a document proposal/explainer around a 'navigation-to' CSP directive.
 This directive can help web authors control the top level navigations allowed from their page and I have listed some scenarios where such a directive could be used.
 If you are interested, please have a look and feel free to leave comments.
 https://docs.google.com/a/chromium.org/document/d/1eMfw7sSIPtPPs9T3K2C8SfDi3Q7OXRTrRDdkGOLb19M/edit?usp=sharing
 Regards,
Andy Paicu

Received on Friday, 1 December 2017 12:21:41 UTC