W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2014

Re: 'child-src' and popups.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 10 Feb 2014 15:09:22 +0100
Message-ID: <CADnb78ieS_tEKzNTSkowi4cJwJzxKxb7NULhBiovBuTi5ZKxAg@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Feb 10, 2014 at 2:21 PM, Mike West <mkwst@google.com> wrote:
> 1. Popping up an allowed resource allows trivial navigation to a disallowed
> resource via the reference returned from 'window.open'. Do we want to block
> navigations in the new window's context?

See http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0007.html
for why grouping popups and child-src does not really work for service
workers. We want to know it's a top-level navigation, but we also want
to know it's different from the main window.

> 2. If we wish to block redirections (allowed.com -> blocked.com), we'll
> currently pop up the window to do the request. If the redirection fails a
> CSP check, what do we do? Close the window? Leave the window open at
> about:blank (as we end up doing (in Blink) for blocked frames)?

We should do the same as what we do for network errors as that is what
a failed CSP check should result in.

Not sure about unsafe-eval.

Received on Monday, 10 February 2014 14:09:53 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:37 UTC