- From: José Moyano Gutiérrez <jgutierrez.mo@gmail.com>
- Date: Sun, 14 Oct 2018 03:21:11 +0200
- To: public-webappsec@w3.org
- Message-ID: <CAC4NMes4zs2zXya2YgFivhtGyFJ3U-2pHTLH7vYi+cj4-+526g@mail.gmail.com>
Dear webappsec team, CSP v2 and v3 work great in order to prevent code injection, restricting the content sources to those that we already trust, but if this code injections is achieved by an attacker, CSP does not prevent an attacker to steal information and send it to a controlled HTTP by document.location redirection, although it does for form-src. I think document.location and any other navigation event should be covered by a specific CSP policy. This policy should not generate additional problems to the systems administrators because: A) except for the blogs, content management and specialised e-comerces or enterprise page do not need to allow navigation to a huge number of 3rd party page outside its own domain. And those pages would not frequently change. B) Administrator configuration effort will be similar as configuring a current CSP v2 policy on its servers. There are no HTTP headers or features that currently protects user's data once code injection is achieved. CSP should be able to cover this issue without adding to much complexity to the current CSP schema. Do not hesitate to ask for any feedback you need. Kind Regards, -- *José Moyano Gutiérrez*
Received on Monday, 15 October 2018 02:26:06 UTC