Confusion revolving around sandbox 'allow-top-navigation' directive

Hi, I have spent considerable time going through open issues and bug reports both in chrome and firefox, but none seem to address the following problem.

From documentation we get the following definition for the sandbox directive: "If the sandbox directive is present, the page is treated as though it was loaded inside of an with a sandbox attribute. This can have a wide range of effects on the page: forcing the page into a unique origin, and preventing form submission, among others.</em>"</p> <p>The token value "allow-top-navigation" is described as "<em>letting the resource navigate the top-level browsing context (the one named _top)</em>", where in the absence of it, we assume that the converse applies.</p> <p>Now consider a CSP header which is applied to an arbitrary page index.html. Based on the previously cited documentation, I was expecting that a restrictive directive of the form: <strong>sandbox;</strong> where the allow-top-navigation token is omitted, would prevent any redirections to any other page, even if triggered from within index.html; irrespective of whether they are triggered by a user or programmatically.</p> <p>Upon testing it was noted that redirects from within the sandboxed page were still possible, despite index.html being the top level browsing context. More specifically, a couple of examples which when embedded within index.html, would redirect to another page (in this case a third party);</p> <ol> <li><code><a id="redirectButton" href="https://evil.com" class="button">Go to Evil</a></code></li> <li><code><script> setTimeout(function(){ top.window.location.replace('https://evil.com/'); },1000) </script></code></li> <li><code><script> document.getElementById('redirectButton').onclick = function() { window.location.href = 'https://evil.com/'; }; </script></code></li> </ol> <p>Is this intended behaviour and I am misunderstanding the sandbox directive, or is it an issue with the policy? Any help/explanation of what is happening would be greatly appreciated. </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/antosart"><img src="https://avatars.githubusercontent.com/u/3632086?v=4" />antosart</a> commented <strong> 5 months ago</strong> </div> <div class="markdown-body"> <p>CC @ArthurSonzogni </p> </div> </div> <div class="comment"> <div class="user"> <a rel="noreferrer nofollow" target="_blank" href="https://github.com/franklyn07"><img src="https://avatars.githubusercontent.com/u/23243426?v=4" />franklyn07</a> commented <strong> 5 months ago</strong> </div> <div class="markdown-body"> <p>Leaving this here for anyone stumbling on the same problem. From my understanding and after experimentation, it looks like this directive with the aforementioned tokens, only apply to any nested context such as IFrames within the parent page. This means that if an embedded IFrame tries to trigger a navigation in the top parent, it will be prevented by such directives. However, the directive will not be violated if a script embedded within the parent page tries to make the page navigate elsewhere, despite the parent page being the top level context. Apparently this kind of behaviour was intended to be controlled by a now deprecated directive called <a href="https://content-security-policy.com/navigate-to/">navigate-to</a>. In the absence of such directive, it is still unclear, how one can control which domains can be whitelisted for navigation, through CSP.</p> </div> </div> <div class="page-bar-simple"> </div> <div class="footer"> <ul class="body"> <li>© <script> document.write(new Date().getFullYear()) </script> Githubissues.</li> <li>Githubissues is a development platform for aggregating issues.</li> </ul> </div> <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.min.js"></script> <script src="/githubissues/assets/js.js"></script> <script src="/githubissues/assets/markdown.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/highlight.min.js"></script> <script src="https://cdn.jsdelivr.net/gh/highlightjs/cdn-release@11.4.0/build/languages/go.min.js"></script> <script> hljs.highlightAll(); </script> </body> </html>

w3c / webappsec-csp

Confusion revolving around sandbox 'allow-top-navigation' directive #647