Closed
Bug 1032310
Opened 10 years ago
Closed 8 years ago
Please implement a CSP directive that disallows navigation
Categories
(Core :: DOM: Security, enhancement)
Tracking
()
RESOLVED
INVALID
People
(Reporter: pamela.fox, Unassigned)
References
()
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:30.0) Gecko/20100101 Firefox/30.0 (Beta/Release) Build ID: 20140605174243 Steps to reproduce: On Khan Academy, we have a setup where we allow users to write code in an editor, and we execute that code in an iframe on a separate domain. You can see that here: https://www.khanacademy.org/cs/new We will soon be using CSP directives to limit the user code from being able to do things like load external multimedia, but there is one thing that is very difficult for us to enforce right now: changing window.location I have written this doc of the many ways we've attempted to prevent user code from changing window.location here: https://docs.google.com/a/khanacademy.org/document/d/1fpHPpjUoyWpTVXXFm8LMUz3Ra8VtJOjX2jyVCbBjsAQ/edit It's proved to be quite difficult in Firefox, and it's something we'd really like to be able to do, because otherwise the users could set up something like a phishing attack. Sure, the phishing frame would be in the context of the larger page, but other users may still trust what ever is inside it. We would like a CSP directive like no-external-navigation that would prevent window.location from being changed inside the frame.
Comment 1•10 years ago
|
||
Shouldn't this be a spec bug? Do other browsers provide a way to do this? I don't see something offhand, looking at the csp spec...
Flags: needinfo?(pamela.fox)
Reporter | ||
Comment 2•10 years ago
|
||
I'm not sure, maybe it should be a spec bug? Where would I file that? I saw related messages about it here: http://lists.w3.org/Archives/Public/public-webappsec/2014May/0000.html I thought it'd be possible for FF to implement it first, since that's where I need it given how FF's Object.freeze works, and other browsers could follow suit.
Flags: needinfo?(pamela.fox)
Comment 3•10 years ago
|
||
This has been brought up on WASG: http://lists.w3.org/Archives/Public/public-webappsec/2014Jun/0252.html for discussion purpose.
Updated•10 years ago
|
Comment 4•10 years ago
|
||
(In reply to pamela.fox from comment #2) > I'm not sure, maybe it should be a spec bug? Where would I file that? > > I saw related messages about it here: > http://lists.w3.org/Archives/Public/public-webappsec/2014May/0000.html > > I thought it'd be possible for FF to implement it first, since that's where > I need it given how FF's Object.freeze works, and other browsers could > follow suit. While I hate to be the bearer of bad news, note that in Chrome, if you do: Object.freeze(window.location); location.replace("http://www.example.com/"); that still works (ie, navigation is not prevented). So I expect you'll need something for all browsers.
Updated•10 years ago
|
Severity: normal → enhancement
OS: Mac OS X → All
Updated•8 years ago
|
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
Comment 5•8 years ago
|
||
As discussed in this bug, this is rather a spec issue than a bug within Firefox. Closing this one as INVALID.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•