Remove navigate-to.
#564
Remove navigate-to.
#564
Conversation
Though there's an implementation of this directive behind a flag in Chromium, it's not something that any vendor has shipped, and there are real concerns about information leaks that it enables. This patch removes it from the spec to avoid confusion while we determine what, if anything, we want to do in this space. Partially addresses #563.
|
LGTM, thanks! There seems to be some unrelated compilation issues with the spec - bikeshed is not able to find most references. I am not sure what is wrong with it, but I'll have a look. |
|
The bikeshed issue seems like not our problem. I've seen other folks report issues this morning. I'll just wait until America wakes up and fixes it before landing this. |
See w3c/webappsec-csp#564. The “navigate-to” directive was removed from the CSP spec and no implementation of it ever shipped anywhere. Related MDN change: mdn/content#21114
Fixes #21114 See w3c/webappsec-csp#564. The “navigate-to” directive was removed from the CSP spec and no implementation of it ever shipped anywhere. Related BCD change: mdn/browser-compat-data#17902
See w3c/webappsec-csp#564. The “navigate-to” directive was removed from the CSP spec and no implementation of it ever shipped anywhere. Related MDN change: mdn/content#21147
See w3c/webappsec-csp#564. The “navigate-to” directive was removed from the CSP spec and no implementation of it ever shipped anywhere. Related MDN change: mdn/content#21147
Fixes #21114 See w3c/webappsec-csp#564. The “navigate-to” directive was removed from the CSP spec and no implementation of it ever shipped anywhere. Related BCD change: mdn/browser-compat-data#17902
Fixes #21114 See w3c/webappsec-csp#564. The “navigate-to” directive was removed from the CSP spec and no implementation of it ever shipped anywhere. Related BCD change: mdn/browser-compat-data#17902
See w3c/webappsec-csp#564. The “navigate-to” directive was removed from the CSP spec and no implementation of it ever shipped anywhere. Related MDN change: mdn/content#21147
fwiw there is also an implementation in Firefox behind a pref, in limbo at this point. I'd be very happy to get an updated draft without it while we try to figure out if it's salvageable. |
|
Last I heard, there were some non-resolvable security issues with redirects (and maybe embeds?). |
|
Could someone link to information about the unresolvable security issues that can be caused by this directive? |
|
@eligrey Not yet public, but should be soon: https://bugs.chromium.org/p/chromium/issues/detail?id=1350804 |
|
I don't have access to that link so I can only ask more questions: why not scope I can't find any public discussions explaining why we can have the navigation API but not this CSP directive. |
|
@eligrey: I opened up the issue, there's no reason it should have been private. Removing If folks are interested in picking it back up and turning into something that would solve developers' problems while not causing new ones, great! It's simply a question of prioritization and effort. |
It has never shipped after being implemented years ago, and was removed from spec in September 2022: w3c/webappsec-csp#564 Now skipping navigate-to WPT tests. Filed issue for their future removal: w3c/webappsec-csp#608 Also removed our own tests to ensure it is unimplemented. Differential Revision: https://phabricator.services.mozilla.com/D181630
It has never shipped after being implemented years ago, and was removed from spec in September 2022: w3c/webappsec-csp#564 Now skipping navigate-to WPT tests. Filed issue for their future removal: w3c/webappsec-csp#608 Also removed our own tests to ensure it is unimplemented. Differential Revision: https://phabricator.services.mozilla.com/D181630
It has never shipped after being implemented years ago, and was removed from spec in September 2022: w3c/webappsec-csp#564 Now skipping navigate-to WPT tests. Filed issue for their future removal: w3c/webappsec-csp#608 Also removed our own tests to ensure it is unimplemented. Differential Revision: https://phabricator.services.mozilla.com/D181630 UltraBlame original commit: 117114b8eb321259fe5b9160d2501623b6848b7a
It has never shipped after being implemented years ago, and was removed from spec in September 2022: w3c/webappsec-csp#564 Now skipping navigate-to WPT tests. Filed issue for their future removal: w3c/webappsec-csp#608 Also removed our own tests to ensure it is unimplemented. Differential Revision: https://phabricator.services.mozilla.com/D181630 UltraBlame original commit: 117114b8eb321259fe5b9160d2501623b6848b7a
It has never shipped after being implemented years ago, and was removed from spec in September 2022: w3c/webappsec-csp#564 Now skipping navigate-to WPT tests. Filed issue for their future removal: w3c/webappsec-csp#608 Also removed our own tests to ensure it is unimplemented. Differential Revision: https://phabricator.services.mozilla.com/D181630 UltraBlame original commit: 117114b8eb321259fe5b9160d2501623b6848b7a
It has never shipped after being implemented years ago, and was removed from spec in September 2022: w3c/webappsec-csp#564 Now skipping navigate-to WPT tests. Filed issue upstream for their future removal: w3c/webappsec-csp#608 Consensus seems to agree to remove, will do in follow up bug once landed. Also removed our own tests. Added a hack in StartDocumentLoad as just removing the navigate-to check call breaks some inhertiance, see comment for more info. Differential Revision: https://phabricator.services.mozilla.com/D181630
|
Hey @mikewest ! Could you point me to some discussion about said information leaks? I couldn't find anywhere. What is the future of navigate-to now? As far as I understand, CSP was literally this close to actually being capable of preventing exfiltration via generic reliable techniques and I at least was really looking forward to proper support for this. Now you can just do this regardless of the CSP: ...which can be a replicate of the original website and just redirect back, keeping the attack fairly stealthy. |
It has never shipped after being implemented years ago, and was removed from spec in September 2022: w3c/webappsec-csp#564 Now skipping navigate-to WPT tests. Filed issue upstream for their future removal: w3c/webappsec-csp#608 Consensus seems to agree to remove, will do in follow up bug once landed. Also removed our own tests. Added a hack in StartDocumentLoad as just removing the navigate-to check call breaks some inhertiance, see comment for more info. Differential Revision: https://phabricator.services.mozilla.com/D181630
|
@marsupilamimon: As originally defined, Thus far, no one has spent the time to dig into the space again to make a new proposal. I don't think there's real philosophical objection to anyone doing so, it's just a prioritization question. |
|
@mikewest alright, thanks for the reply! Is there something I can do to help? I don't think the open redirects are an issue. While For instance, the online banking app I use probably doesn't have open redirects. Also it doesn't have built-in exfiltration mechanisms (such as posting messages where the attacker could see them). But it does deal with fairly sensitive data and would surely benefit from this kind of a client-side implementation of blocking egress network traffic. |
|
A suitable replacement for |
Though there's an implementation of this directive behind a flag in Chromium, it's not something that any vendor has shipped, and there are real concerns about information leaks that it enables. This patch removes it from the spec to avoid confusion while we determine what, if anything, we want to do in this space.
Partially addresses #563.