Talk:Security/CSP/Spec: Difference between revisions

Talk:Security/CSP/Spec (view source)

Revision as of 22:35, 12 August 2009

962 bytes added , 12 August 2009

→‎form-action Directive? (OPEN)

Sidstamm

canmove, Confirmed users

1,537

edits

@@ Line 178: / Line 178: @@
 Additionally, in this scenario, while I do understand where you are coming from - there is a difference between links and forms. In links more often than not, you(user) know where you are going to. In forms unfortunately there is no indication in current UI of where the form data is going. So although there is user interaction in a form submission, whether user intent is there or not, is not clear. As such, I think forms should be covered by allow directive. If not, then a form-src also makes sense. --duryodhan
+Assume form actions are subject to the <tt> allow</tt> directive as you recommend.  If a site wants to allow form submissions to arbitrary third party sites (such as search boxes with arbitrary targets), then they have to open up the allow directive to be something like <tt>allow *</tt>.  This is not safe, especially if the site authors don't want ActiveX controls or Scripts loaded from third party sites.  As a result, the site authors have to then use the rest of the directives as ''blacklists'' instead of whitelists, making the policy a bit more confusing.  If there's a <tt>form-action</tt> directive, then only one additional directive is needed aside from <tt>allow self</tt> to get a fairly closed-down policy that allows form submissions to arbitrary sites.
+So either we need a directive to control form actions, or we shouldn't subject the form actions to CSP at all like anchor-based links (not even the allow directive).
+-[[User:Sidstamm|Sid]]
 == <tt>frame-src</tt> Consistent Across Navigation  (<span style="color:green;">OPEN</span>) ==