W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2017

RE: A 'navigation-to' CSP directive

From: Rob van Eijk <rob@blaeu.com>
Date: Fri, 1 Dec 2017 14:32:49 +0000
To: Andy Paicu <andypaicu@chromium.org>
Cc: public-webappsec@w3.org <public-webappsec@w3.org>, mkwst@google.com <mkwst@google.com>
Message-ID: <01020160127e8406-da6a8d0e-80d8-4d06-b7ef-4e5d3aed673a-000000@eu-west-1.amazonses.com>
Good point.

 
However, if an iframe is whitelisted as child-src, the CAP directive would not block the resources the iframe brings in, right? Maybe I misunderstood the hierarchy of the 'navigate-to' idea. To help the conversation I will provide a use case.

 
A third-party API is included on a webpage with an I-frame. The third party uses external embedded resources to measure JavaScript errors (usage.trackjs.com, js-agent.newrelic.com, bam.nr-data.net). These resources should be whitelisted as the are necessary for the functioning of the third-party API. However, the third party also includes an analytics pixel used for, e.g., purposes that would trigger the consent requirement under EU law. It would be great if this pixel could be blocked by the webpage owner through CSP.

 
Hope this clarifies my use case,

 
Rob

 
-----Original message-----
From: Andy Paicu
Sent: Friday, December 1 2017, 3:20 pm
To: Rob van Eijk
Cc: public-webappsec@w3.org; mkwst@google.com
Subject: Re: A 'navigation-to' CSP directive

Hi Rob,
 I think it fits better as a CSP directive not as part of sandbox. If we are adding it to sandbox we are saying that it only makes sense as part of sandbox but I believe there are plenty of situations where this can be used without sandbox.
 Also I believe sandbox currently has only Y/N flags, and this should be a serialized-source-list and in CSP it would become a sort of directive inside a directive which can make CSP syntax more complicated.
 Regards,
Andy Paicu
  On Fri, Dec 1, 2017 at 1:21 PM, Rob van Eijk <rob@blaeu.com> wrote:

Hi,

 
Is the idea to add it as a CSP directive or as a sandbox value?

 
I think the idea to implement the enforcement as a sandbox value may makes more sense. Since the sandbox directive applies restrictions to the frame would a 'navigation-to' sandbox value would prevent loading resources other than the one's whitelisted. Absence of the 'navigation-to' sandbox value would not enforece a whitelist to the sandboxed iframe.

 
Rob

 
-----Original message-----
From: Andy Paicu
Sent: Friday, December 1 2017, 12:04 pm
To: public-webappsec@w3.org
Subject: A 'navigation-to' CSP directive
 Hello all,
 Following the discussions at TPAC I have put together a document proposal/explainer around a 'navigation-to' CSP directive.
 This directive can help web authors control the top level navigations allowed from their page and I have listed some scenarios where such a directive could be used.
 If you are interested, please have a look and feel free to leave comments.
 https://docs.google.com/a/chromium.org/document/d/1eMfw7sSIPtPPs9T3K2C8SfDi3Q7OXRTrRDdkGOLb19M/edit?usp=sharing
 Regards,
Andy Paicu
 
Received on Friday, 1 December 2017 14:33:22 UTC

This archive was generated by hypermail 2.3.1 : Friday, 1 December 2017 14:33:23 UTC