- From: Rob van Eijk <rob@blaeu.com>
- Date: Fri, 1 Dec 2017 14:32:49 +0000
- To: Andy Paicu <andypaicu@chromium.org>
- Cc: public-webappsec@w3.org <public-webappsec@w3.org>, mkwst@google.com <mkwst@google.com>
- Message-ID: <01020160127e8406-da6a8d0e-80d8-4d06-b7ef-4e5d3aed673a-000000@eu-west-1.amazonse>
Good point. However, if an iframe is whitelisted as child-src, the CAP directive would not block the resources the iframe brings in, right? Maybe I misunderstood the hierarchy of the 'navigate-to' idea. To help the conversation I will provide a use case. A third-party API is included on a webpage with an I-frame. The third party uses external embedded resources to measure JavaScript errors (usage.trackjs.com, js-agent.newrelic.com, bam.nr-data.net). These resources should be whitelisted as the are necessary for the functioning of the third-party API. However, the third party also includes an analytics pixel used for, e.g., purposes that would trigger the consent requirement under EU law. It would be great if this pixel could be blocked by the webpage owner through CSP. Hope this clarifies my use case, Rob -----Original message----- From: Andy Paicu Sent: Friday, December 1 2017, 3:20 pm To: Rob van Eijk Cc: public-webappsec@w3.org; mkwst@google.com Subject: Re: A 'navigation-to' CSP directive Hi Rob, I think it fits better as a CSP directive not as part of sandbox. If we are adding it to sandbox we are saying that it only makes sense as part of sandbox but I believe there are plenty of situations where this can be used without sandbox. Also I believe sandbox currently has only Y/N flags, and this should be a serialized-source-list and in CSP it would become a sort of directive inside a directive which can make CSP syntax more complicated. Regards, Andy Paicu On Fri, Dec 1, 2017 at 1:21 PM, Rob van Eijk <rob@blaeu.com> wrote: Hi, Is the idea to add it as a CSP directive or as a sandbox value? I think the idea to implement the enforcement as a sandbox value may makes more sense. Since the sandbox directive applies restrictions to the frame would a 'navigation-to' sandbox value would prevent loading resources other than the one's whitelisted. Absence of the 'navigation-to' sandbox value would not enforece a whitelist to the sandboxed iframe. Rob -----Original message----- From: Andy Paicu Sent: Friday, December 1 2017, 12:04 pm To: public-webappsec@w3.org Subject: A 'navigation-to' CSP directive Hello all, Following the discussions at TPAC I have put together a document proposal/explainer around a 'navigation-to' CSP directive. This directive can help web authors control the top level navigations allowed from their page and I have listed some scenarios where such a directive could be used. If you are interested, please have a look and feel free to leave comments. https://docs.google.com/a/chromium.org/document/d/1eMfw7sSIPtPPs9T3K2C8SfDi3Q7OXRTrRDdkGOLb19M/edit?usp=sharing Regards, Andy Paicu
Received on Friday, 1 December 2017 14:33:22 UTC