k, so you basically vote for the same behavior as Anne :) On Tue, Apr 28, 2015 at 4:35 PM Mike West <mkwst@google.com> wrote: > On Tue, Apr 28, 2015 at 7:30 AM, Jochen Eisinger <eisinger@google.com> > wrote: > >> >> >> On Tue, Apr 28, 2015 at 4:24 PM Mike West <mkwst@google.com> wrote: >> >>> This isn't a CSP issue, is it? It's a "What do you do with >>> `target='blank_'` when applied to a `javascript:` URL?" question. Without >>> thinking about it too hard, Chrome's behavior here seems pretty reasonable; >>> `javascript:` isn't a navigational URL, it simply executes code in the >>> current execution context. Resource requests and navigations that it >>> produces ought to be governed by that context's referrer policy. >>> >> >> If you have a link href="javascript:.." target="blank_" we first create a >> new document (or at least firefox does...) and then execute the script in >> that context. >> >> The question is, what policies do apply to that new document? >> > > Ok, so the new window is somewhat of a red herring. We have the same issue > for `iframe`, don't we? That is, what CSP ought apply to the document > created inside `<iframe src='about:blank'></iframe>`? I hope the spec says > we inherit in that case. I know we will for `blob:`-style embeddings, and > `about:blank` is the same. > > I think that logic would have to carry across to new documents created via > `window.open`. Until that context navigates, it's fairly indistinguishable > from the context that created it. > > -mike >
Received on Tuesday, 28 April 2015 14:42:42 UTC