Intent to implement and ship: CSP 'navigate-to' directive

[Andy Paicu]

Contact emails andy...@chromium.org Spec https://w3c.github.io/webappsec-csp/#directive-navigate-to Summary The navigate-to directive restricts the URLs to which a document can initiate navigations by any means (a, form, window.location, window.open, etc.). This is an enforcement on what navigations this document initiates not on what this document is allowed to navigate to. If the form-action directive is present, the navigate-to directive will not act on navigations that are form submissions.

Motivation This directive allows developers control using CSP over navigations that a document initiates. It has many security applications (e.g. ensuring the ads landing page is correct). Interoperability risk Firefox: No public signals Edge: No public signals Safari: No public signals Web developers: Positive

While I have no particular links I can point to for particular browsers this has been discussed at TPAC and during a call, on the webappsec mailing list and in the explainer document provided and the feedback is pretty positive.

explainer: https://docs.google.com/document/d/1eMfw7sSIPtPPs9T3K2C8SfDi3Q7OXRTrRDdkGOLb19M/edit?usp=sharing

webappsec thread: https://lists.w3.org/Archives/Public/public-webappsec/2017Dec/0000.html 

Compatibility risk The directive does not fall back on `default-src` and it is ignored when `form-action` is present and relevant. This means that existing content won't be affected.

Ongoing technical constraints None Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, Chrome OS, Android, and Android WebView)? Yes or no. Yes

Link to entry on the Chrome Platform Status https://www.chromestatus.com/features/6457580339593216 Requesting approval to ship? Yes

[Andy Paicu]

I forgot to add the section for WPT tests:

https://wpt.fyi/content-security-policy/navigate-to

[Rick Byers]

Can you provide any details on the positive signals from web developers?  In particular, what developers have actually tried using this directive (I assume it's behind a flag now?) and can confirm that they intend to deploy use of it to production?

Otherwise it looks reasonable to me. Obviously we'd like to have more concrete signals from the other browsers, but I trust that there's been good discussion in the WG.  Perhaps it's worth filing some bugs for vendors who you think are most likely to be next to implement?  I imagine they're likely all waiting to see who really intends to use this, before deciding what priority to give to implementation.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACnmqYg8ZiFVg6fu1fU53T-9tJkGr1HOWRwkhEP-oo0fWpmx9Q%40mail.gmail.com.

[Andy Paicu]

Hello Rick,

The feature is WIP and not fully implemented yet but there has been significant discussion with the Google ads teams to use this feature in order to enforce the landing page of ads.

Also some Google ISE members have expressed their approval of the directive and that there could be potential use for it.

Regards,

Andy

[Rick Byers]

Thanks for the details Andy.

Enabling ad networks to reduce the user impact of bad/malicious ads is IMHO significant in terms of "moving the web forward" and so outweighs for me the interop risk of not having concrete signals from other browsers here.

Also we've seen from recent sandbox flag additions that when a major ad network starts using a feature to lock down what ads can do, this creates a significant incentive for the other browsers to implement the feature as well (no browser wants to be the one with a worse user experience around ads).  So combined with the spec and test work, this seems like something that's likely to become interoperable to me.

LGTM1

[Chris Harrelson]

LGTM2

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY9jzKeEQLJadvvGn_SFis11Q2FUEL8zdpwuymsy7Adhvw%40mail.gmail.com.

[Philip Jägenstedt]

LGTM3

I tried ./wpt run --binary `which google-chrome-unstable` --binary-arg=--enable-experimental-web-platform-features chrome content-security-policy/navigate-to to see if all the red in https://wpt.fyi/content-security-policy/navigate-to would go away, but there are still fairly many failures, which are also in https://cs.chromium.org/chromium/src/third_party/WebKit/LayoutTests/external/wpt/content-security-policy/navigate-to/

Presumably this is because the implementation isn't done yet, but if there are any failures left after that, can you make sure there are bugs filed for them?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw8tHDbeXQ6-RO_EBHsJ_Ru5NaOB2SRqxyEB_aEcPYtt7g%40mail.gmail.com.

[Andy Paicu]

Thank you Philip, I plan on having all the tests pass, but if for some reason I will have to leave some for later, I will make sure to raise bugs.