- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 27 Apr 2015 18:06:34 +0200
- To: Jochen Eisinger <eisinger@google.com>
- Cc: Sid Stamm <sid@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Apr 27, 2015 at 5:32 PM, Jochen Eisinger <eisinger@google.com> wrote: > On Mon, Apr 27, 2015 at 5:19 AM Anne van Kesteren <annevk@annevk.nl> wrote: >> On Fri, Apr 24, 2015 at 3:13 PM, Sid Stamm <sid@mozilla.com> wrote: >> > So what do you think? Copy the referrer policy or not? I'm leaning >> > towards not, since we're creating a new document and the policy, >> > delivered via HTML tag or CSP, is kind of associated with the document >> > (not the principal). >> >> I think we should copy since before that new top-level browsing >> context is navigated, it's about:blank and could not have a meaningful >> policy set in any kind of way. > > you could still run some script on about:blank that inserts a meta tag The given case is <a href=... target=_blank> for which it seems unlikely you can execute script before the newly created browsing context navigates unless you rewrite what clicking that link does. -- https://annevankesteren.nl/
Received on Monday, 27 April 2015 16:07:02 UTC