CSP3: Add something along the lines of disown-window-owner.
#139
Comments
|
Nit: the property is window.opener, so "disown-window-opener". On Thu Jan 08 2015 at 1:05:10 AM Mike West notifications@github.com wrote:
|
|
Why would this be a security-opt-in? We currently have the problem, that browser vendors (the Chrome team) recommend to use |
|
And I am not even talking about MathML on Firefox yet ;) |
|
Because everything in CSP is an opt-in. Sites rely on the current behavior of non- |
|
@mikewest Fair enough. Btw, I added some examples about links and link-likes that bypass <a href="//evil.com" target="_blank" rel="noreferrer">CLICK</a> // window.opener will be null
<map><area href="//evil.com" target="_blank" rel="noreferrer">CLICK</area></map> // window.opener will be null
<svg><a xlink:href="//evil.com" rel="noreferrer">CLICK</a></svg> // window.opener still works
<form action="//evil.com" target="_blank" rel="noreferrer"><input type="submit"></form>// window.opener still works
<form id="test" rel="noreferrer"></form><button formtarget="_blank" formaction="//evil.com">CLICKME</button>// window.opener still works
<math href="//evil.com" xlink:show="new" rel="noreferrer">CLICKME</math>// window.opener still works |
Autolinking: Ignore case when procesing the 'spec' attribute.
|
how does this relate to https://wiki.whatwg.org/wiki/Links_to_Unrelated_Browsing_Contexts |
|
|
sounds like a bug. doesn't sound that bad: why would you submit stuff to a site but not trust it? |
|
sounds like a bug, I meant |
|
If my page is a non-secure context only due to the presence of |
|
@jakearchibald: No. The security of a context is set at the time you navigate in and we decide what IDL attributes to expose. Changing the window's opener at runtime doesn't make the context secure. Specifics of the current implementation aside, what's the scenario you care about? |
w3c/webappsec#517 asked for this, and it's a totally reasonable thing to do. But, w3c/webappsec#139 asked for the inverse ('disown-openee' or something), and it's not clear to me whether there's a good syntax that might encompass both. Leaving both tickets open until we come up with something we're happy with. Until then, puttign this stub in place.
Unfortunately, Safari doesn't even let you modify the opener if the child window has a different origin. From https://github.com/danielstjules/blankshield#solutions
|
|
A few points:
|
The nice thing about CSP is that you don't have to implement all of it to get specific benefits. For instance, if you don't have CSP today, and all you want is to ensure that no one gets a reference to you via I get the general argument that CSP is complex. I don't think that the conclusion holds that creating a new mechanism would make things less complicated. :)
As @annevk noted in that issue, To the broader question: authentication in a popup requires communication between the popper and the popee. |
|
(@zcorpan ^^) |
Sounds good. I wasn't sure if this was indeed the case. 🙂
Uh, yes, I mean, opt-in to disallow setting it cross-origin. As to naming/syntax, no opinion at this time. I will note that @bzbarsky seems not so fond of the idea of introducing this sort of thing in https://lists.w3.org/Archives/Public/public-whatwg-archive/2016Dec/0005.html |
I'm pretty sure I agree with him, but I'm open to a totally amazing idea that I haven't thought of. :) |
|
I think what I was mostly against was introducing something where you open a popup and whether that popup gets to navigate you is determined by some sort of complex dynamic algorithm. Here's a question. If we were designing all this cross-site interaction green-field, how would it work? One plausible answer is that the only thing allowed cross-site would be postMessage. If people think this is a reasonable thing to enable, then we could add something where a window flags itself as "https://html.spec.whatwg.org/multipage/browsers.html#crossoriginproperties-(-o-) should only return postMessage". There are problems, though. If you open a window that sets this flag, then suddenly you can't close it. On the other hand, if you open a window, arguably it shouldn't be able to close you cross-origin. So maybe my plausible answer is just wrong and we really need some sort of more complicated asymmetric setup... Note that this is all separate from the idea of "have a way to opt in to all your window.open calls and targeted link navigations disowning openers". Or not setting them? Note that for rel=noopener we disabled targeting completely, because we couldn't figure out a sane way to make it work, but that would be a slightly odd default behavior to opt into just so you can get protection in the cases when you do open a new thing.... |
OK, that's not what I had in mind.
I think that would makes sense.
You can |
Yes, if it wants to cooperate with you.... |
|
Hello all, I would like to re-open this discussion and see if we can get somewhere with it. It seems that the original concern can be addressed with From what I can tell the difference here is that this directive is supposed to be asymmetric and I'm not exactly sure how much that is really worth. Is there a specific scenario that is really empowered by this directive? It seems to me that if you can't trust the window you are opening than being allowed to communicate with them one-way seems of limited use. For now I'm quite tempted to argue that we should give this directive up entirely, perhaps focus on the inverse which (to me) seems to have more value and is more straightforward. Thoughts? |
|
By the "inverse" I mean this thing discussed here: w3c/webappsec-csp#194 |
|
Not having to annotate all outgoing links with |
|
@annevk Perhaps, though we would have to add a I could get behind a |
|
I don't understand what "two-way" means here. |
|
Ah apologies I was under the wrong impression that Regardless, basically I think following the |
|
Ah, I guess you're right when it comes to |
|
Fwiw, the "noopener" arg to window.open is totally broken in ways that make it effectively unusable in its current implementations (see whatwg/html#1902). The spec is vague enough about window.open option processing last I checked that it probably allows both that behavior and something saner, but it's not clear whether there are any plans to get that fixed on the part of browsers.... So in practice, a CSP that says "noopener all the windows we open" might be useful for sites that can get away with it. The question is how common those sites are in practice.... I do think not having to put |
|
So in order to make this work we would probably needs hooks in: https://html.spec.whatwg.org/multipage/window-object.html#window-open-steps (Step 5) We could add a This way you can specify urls that you want to keep the communication open or just 'none' to do basically apply Perhaps a directive structure like: Does that seem reasonable? I think it covers a lot of use cases nicely and is flexible enough that it will be useful. |
|
Why not keep things simple and consistent by just calling the CSP directive |
|
Closing this in favor of w3c/webappsec-csp#194, which is the better place to discuss CSP features. |
|
Sorry, I'm a bit confused why this was closed in favour of w3c/webappsec-csp#194 . It doesn't seem to be the same thing. As far as I understand, three topics are being discussed here at the same time:
w3c/webappsec-csp#194 seems to be discussing 2 & 3, but I'm personally interested in 1. How do I follow discussion on that? |
|
@kdzwinel it's probably best to open a new issue for that in the linked repository. |
|
CSP will probably not be the place to handle any of the |
w3c/webappsec#517 asked for this, and it's a totally reasonable thing to do. But, w3c/webappsec#139 asked for the inverse ('disown-openee' or something), and it's not clear to me whether there's a good syntax that might encompass both. Leaving both tickets open until we come up with something we're happy with. Until then, puttign this stub in place.
@hillbrad suggested adding a
disown-window-ownerflag of some sort to execute https://html.spec.whatwg.org/#disowned-its-opener automagically when opening auxiliary browsing contexts. That seems reasonable, but we'll need to bikeshed the name/syntax a bit:default-src 'self'; clever-directive-name disown-window-owner strict-mixed-content-checking?Thread: http://lists.w3.org/Archives/Public/public-webappsec/2015Jan/0071.html
The text was updated successfully, but these errors were encountered: