Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
[css-nav-1] hostile iframes #3390
To prevent hostile third party iframes (e.g. ads) from hijacking and trapping the focus, the spatpav events (and possibly APIs, althouh I'm less sure about that) should not be available by default in cross origin iframes.
The top-level document should have a way of turning them back on for iframes it trusts.
@annevk with the possible exception of
I don't believe that merely focusing an element is a security vulnerability, but maybe I just lack imagination.
If we do want to curtail this, we could do it with 2 steps:
That would limit the usefulness of
Feature Policy makes sense for this (for enabling something that's by default disabled).
Is there an attack vector in the other direction? Whereby the embedder can direct the navigation such that it makes clickjacking easier?
This could be a feature policy, e.g:
or in a header field:
Alternatively spatnav could be enabled by default for all sources in CSP's
And although CSP is good practice, it would force developers to enable CSP to provide spatial navigation for iframed content. Which probably isn't ideal?
@Malvoz Thanks for the feedback.
The feature policy approach looks nice to me, but I am not an expert in this area, and don't have all the background needed to pick the best way forward.
I'm going to leave this issue open for a while, and hope to gather feedback from more people.
I agree with the feature policy is a good approach to solve the security issue in spatial navigation.
Detailed approach for the feature policy would be as below:
Default policy: spatial-navigation 'self'
Feature-Policy HTTP header
A page can declare the spatial navigation feature in its HTTP headers as follows:
It means that only same-origin iframe elements are allowed for the spatial navigation.