W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

'child-src' and popups.

From: Mike West <mkwst@google.com>
Date: Mon, 10 Feb 2014 14:21:37 +0100
Message-ID: <CAKXHy=emXkqTr4_so_OOXkTRztaN_SqPrXpHsU2Ok8OtBQNnig@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
After talking with some folks who know way more about popups than I do, I'm
dropping the auxiliary browsing context bits from the current draft's
definition of 'child-src'. It turns out that they're more complicated than
I expected (and, really, outside the scope of the feature-set that we
closed in October, 2013):
https://github.com/w3c/webappsec/commit/9b7a618aca1f9fcbc99f9887df60ccd98d9c7654

Some open questions:

1. Popping up an allowed resource allows trivial navigation to a disallowed
resource via the reference returned from 'window.open'. Do we want to block
navigations in the new window's context?

2. If we wish to block redirections (allowed.com -> blocked.com), we'll
currently pop up the window to do the request. If the redirection fails a
CSP check, what do we do? Close the window? Leave the window open at
about:blank (as we end up doing (in Blink) for blocked frames)?

3. Should 'unsafe-eval' (or something similar) gate the ability to pop up a
window and then 'document.write' its contents?

None of these are blockers, per se, but given the state of 1.1, and the
relative value of this feature, dropping it for now seems like a good idea.
Let's save this bit for 1.2.

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 10 February 2014 13:22:28 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:04 UTC