Re: [REFERRER] policy inheritance via javascript: URI and new document from Jochen Eisinger on 2015-04-28 (public-webappsec@w3.org from April 2015)

From: Jochen Eisinger <eisinger@google.com>
Date: Tue, 28 Apr 2015 14:30:44 +0000
To: Mike West <mkwst@google.com>
Cc: Sid Stamm <sid@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CALjhuifS-bohBi1xA23a3qy6MBDC77UN+0YO_VhrQW_gf_2irA@mail.gmail.com>

On Tue, Apr 28, 2015 at 4:24 PM Mike West <mkwst@google.com> wrote:

> This isn't a CSP issue, is it? It's a "What do you do with
> `target='blank_'` when applied to a `javascript:` URL?" question. Without
> thinking about it too hard, Chrome's behavior here seems pretty reasonable;
> `javascript:` isn't a navigational URL, it simply executes code in the
> current execution context. Resource requests and navigations that it
> produces ought to be governed by that context's referrer policy.
>

If you have a link href="javascript:.." target="blank_" we first create a
new document (or at least firefox does...) and then execute the script in
that context.

The question is, what policies do apply to that new document?


>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München,
> Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
> Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
> Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Tue, Apr 28, 2015 at 7:13 AM, Jochen Eisinger <eisinger@google.com>
> wrote:
>
>> +Mike West <mkwst@google.com> to grab his attention
>>
>> Since we can deliver a referrer policy via CSP, I guess it would be great
>> if they both behaved the same
>>
>> On Tue, Apr 28, 2015 at 4:12 PM Sid Stamm <sid@mozilla.com> wrote:
>>
>>> On Mon, Apr 27, 2015 at 12:40 PM, Jochen Eisinger <eisinger@google.com>
>>> wrote:
>>> > What does CSP do, if a page with a policy that disallows plugins
>>> creates an
>>> > about:blank pop-up, can the pop-up run plugins?
>>>
>>> The CSP spec is also not clear about this.  I expected that in Firefox
>>> we'd block the load since the CSP is bound to the principal (the
>>> referrer policy is not).
>>>
>>> Test code below my signature. I tested in Firefox and Chrome using a
>>> javascript:-based image loader.  In Firefox, CSP blocks both the "load
>>> here" and the "load in _blank" images.  In Chrome, they're both the
>>> same since _blank is ignored for javascript: schemes.
>>>
>>> -Sid
>>>
>>> ---
>>>
>>> <?php
>>>   header("Content-Security-Policy: default-src * 'unsafe-inline';
>>> img-src 'none'");
>>>   $image = "https://www.w3.org/Icons/w3c_home";
>>>   $script = "javascript:(function() {var
>>> x=document.createElement('img'); x.src
>>> ='$image';document.body.appendChild(x);})();";
>>> ?>
>>> <html>
>>>   <body>
>>>     <a href="<?=$script?>">Open here</a>
>>>     <br/>
>>>     <a href="<?=$script?>" target="_blank">Open there</a>
>>>   </body>
>>> </html>
>>>
>>
>

Received on Tuesday, 28 April 2015 14:31:18 UTC