Skip to content

Commit

Permalink
Clarify that URL bar spoofing is not possible
Browse files Browse the repository at this point in the history
  • Loading branch information
domenic committed Mar 16, 2021
1 parent 9ee52f4 commit ea62fe4
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
5 changes: 4 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1060,6 +1060,8 @@ One particular point of interest is the user-agent generated `appHistoryEntry.ke
Security-wise, this feature has been carefully designed to give no new abilities that might be disruptive to the user or to delicate parts of browser code. See, for example, the restrictions on [navigation monitoring and interception](#navigation-monitoring-and-interception) to ensure that it does not allow trapping the user, or the discussion of how this proposal [does not impact how browser UI presents session history](#impact-on-back-button-and-user-agent-ui).
In particular, note that navigation interception can only update the URL bar to perform single-page app navigations to the same extent as `history.pushState()` does: the destination URL must only differ from the page's current URL in path, query, or fragment components. Thus, the `navigate` event does not allow URL spoofing by updating the URL bar to a cross-origin destination while providing your own origin's content.
See also the [W3C TAG security and privacy questionnaire answers](./security-privacy-questionnaire.md).
## Stakeholder feedback
Expand Down Expand Up @@ -1089,7 +1091,8 @@ Thanks also to
[@natechapin](https://github.com/natechapin),
[@pshrmn](https://github.com/pshrmn),
[@SetTrend](https://github.com/SetTrend),
[@slightlyoff](https://github.com/slightlyoff), and
[@slightlyoff](https://github.com/slightlyoff),
[@torgo](https://github.com/torgo), and
[@Yay295](https://github.com/Yay295)
for their help in exploring this space and providing feedback.
Expand Down
8 changes: 7 additions & 1 deletion security-privacy-questionnaire.md
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,13 @@ No.

**Do features in this specification allow an origin some measure of control over a user agent’s native UI?**

Importantly, no. Navigations through native UI such as the URL bar or back button do not trigger a cancelable `navigate` event. See the abuse prevention discussion in the ["Navigation monitoring and interception"](./README.md#navigation-monitoring-and-interception) section as well as the ["Impact on the back button and user agent UI"](./README.md#impact-on-the-back-button-and-user-agent-ui) section.
No more than is possible today.

Navigations through native UI such as the URL bar or back button do not trigger a cancelable `navigate` event. See the abuse prevention discussion in the ["Navigation monitoring and interception"](./README.md#navigation-monitoring-and-interception) section as well as the ["Impact on the back button and user agent UI"](./README.md#impact-on-the-back-button-and-user-agent-ui) section.

The API does provide pages the ability to update the contents of the browser's URL bar, by intercepting the `navigate` event and converting what would normally be a cross-document navigation into a same-document one. But, this capability is restricted in the same way that `history.pushState()` is: the new URL being navigated to must differ from the current one only in the path/query/fragment components.

So, this can't be used for spoofing the URL by, for example, responding to a navigation from `https://evil.example/` to `https://good.example/` with custom contents from `https://evil.example/`. Since the URLs differ in their host component, such a navigation cannot be intercepted by `https://evil.example/`. In other words, when the URL bar reads `https://good.example/`, only `https://good.example/` controls the contents displayed.

**What temporary identifiers do the features in this specification create or expose to the web?**

Expand Down

0 comments on commit ea62fe4

Please sign in to comment.