- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Mon, 10 Feb 2014 15:09:22 +0100
- To: Mike West <mkwst@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Feb 10, 2014 at 2:21 PM, Mike West <mkwst@google.com> wrote: > 1. Popping up an allowed resource allows trivial navigation to a disallowed > resource via the reference returned from 'window.open'. Do we want to block > navigations in the new window's context? See http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0007.html for why grouping popups and child-src does not really work for service workers. We want to know it's a top-level navigation, but we also want to know it's different from the main window. > 2. If we wish to block redirections (allowed.com -> blocked.com), we'll > currently pop up the window to do the request. If the redirection fails a > CSP check, what do we do? Close the window? Leave the window open at > about:blank (as we end up doing (in Blink) for blocked frames)? We should do the same as what we do for network errors as that is what a failed CSP check should result in. Not sure about unsafe-eval. -- http://annevankesteren.nl/
Received on Monday, 10 February 2014 14:09:53 UTC