ISSUE-56: Should we restrict subsequent navigation within child-src?

child src navigation

Should we restrict subsequent navigation within child-src?

State:
CLOSED
Product:
CSP Level 2
Raised by:
Brad Hill
Opened on:
2014-01-14
Description:
We use CSP to govern creation of child browsing contexts of various types. It makes sense to prevent inline content from creating such links, or from navigating a sub-context itself.

Does it make sense to prevent the new context from navigating itself? This is a bit odd, not sure what threats it protects against, and creates some information leakage risks:

http://homakov.blogspot.com/2014/01/using-content-security-policy-for-evil.html

Could we say that frame-src and similar govern only the initial value and parent navigation of the frame, not its own self-navigation?
Related Actions Items:
No related actions
Related emails:
No related emails

Related notes:

http://www.w3.org/TR/CSP11/#ch-csp-client-hint

Brad Hill, 27 Oct 2014, 04:08:35

Display change log ATOM feed

Daniel Veditz <dveditz@mozilla.com>, Mike West <mkwst@google.com>, Chairs, Wendy Seltzer <wseltzer@w3.org>, Samuel Weiler <weiler@w3.org>, Staff Contacts
Tracker: documentation, (configuration for this group), originally developed by Dean Jackson, is developed and maintained by the Systems Team <w3t-sys@w3.org>.
$Id: 56.html,v 1.1 2020/01/17 08:52:37 carcone Exp $