Re: 'child-src' and popups.

On Mon, Feb 10, 2014 at 2:21 PM, Mike West <> wrote:
> 1. Popping up an allowed resource allows trivial navigation to a disallowed
> resource via the reference returned from ''. Do we want to block
> navigations in the new window's context?

for why grouping popups and child-src does not really work for service
workers. We want to know it's a top-level navigation, but we also want
to know it's different from the main window.

> 2. If we wish to block redirections ( ->, we'll
> currently pop up the window to do the request. If the redirection fails a
> CSP check, what do we do? Close the window? Leave the window open at
> about:blank (as we end up doing (in Blink) for blocked frames)?

We should do the same as what we do for network errors as that is what
a failed CSP check should result in.

Not sure about unsafe-eval.


Received on Monday, 10 February 2014 14:09:53 UTC