Closed Bug 1032310 Opened 10 years ago Closed 8 years ago

Please implement a CSP directive that disallows navigation

Categories

(Core :: DOM: Security, enhancement)

Product:
Core
Component:
DOM: Security
Version:
30 Branch
Platform:
x86
All
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: pamela.fox, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0 (Beta/Release)
Build ID: 20140605174243

Steps to reproduce:

On Khan Academy, we have a setup where we allow users to write code in an editor, and we execute that code in an iframe on a separate domain. You can see that here:
https://www.khanacademy.org/cs/new

We will soon be using CSP directives to limit the user code from being able to do things like load external multimedia, but there is one thing that is very difficult for us to enforce right now: changing window.location 

I have written this doc of the many ways we've attempted to prevent user code from changing window.location here:
https://docs.google.com/a/khanacademy.org/document/d/1fpHPpjUoyWpTVXXFm8LMUz3Ra8VtJOjX2jyVCbBjsAQ/edit

It's proved to be quite difficult in Firefox, and it's something we'd really like to be able to do, because otherwise the users could set up something like a phishing attack. Sure, the phishing frame would be in the context of the larger page, but other users may still trust what ever is inside it.

We would like a CSP directive like no-external-navigation that would prevent window.location from being changed inside the frame.
Shouldn't this be a spec bug? Do other browsers provide a way to do this? I don't see something offhand, looking at the csp spec...
Flags: needinfo?(pamela.fox)
I'm not sure, maybe it should be a spec bug? Where would I file that?

I saw related messages about it here:
http://lists.w3.org/Archives/Public/public-webappsec/2014May/0000.html

I thought it'd be possible for FF to implement it first, since that's where I need it given how FF's Object.freeze works, and other browsers could follow suit.
Flags: needinfo?(pamela.fox)
This has been brought up on WASG: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0252.html for discussion purpose.
(In reply to pamela.fox from comment #2)
> I'm not sure, maybe it should be a spec bug? Where would I file that?
> 
> I saw related messages about it here:
> http://lists.w3.org/Archives/Public/public-webappsec/2014May/0000.html
> 
> I thought it'd be possible for FF to implement it first, since that's where
> I need it given how FF's Object.freeze works, and other browsers could
> follow suit.

While I hate to be the bearer of bad news, note that in Chrome, if you do:

Object.freeze(window.location);
location.replace("http://www.example.com/");

that still works (ie, navigation is not prevented).

So I expect you'll need something for all browsers.
Severity: normal → enhancement
OS: Mac OS X → All
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
As discussed in this bug, this is rather a spec issue than a bug within Firefox. Closing this one as INVALID.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.