Re: 'child-src' and popups.

On Mon, Feb 10, 2014 at 2:21 PM, Mike West <mkwst@google.com> wrote:
> 1. Popping up an allowed resource allows trivial navigation to a disallowed
> resource via the reference returned from 'window.open'. Do we want to block
> navigations in the new window's context?

See http://lists.w3.org/Archives/Public/public-webappsec/2014Feb/0007.html
for why grouping popups and child-src does not really work for service
workers. We want to know it's a top-level navigation, but we also want
to know it's different from the main window.


> 2. If we wish to block redirections (allowed.com -> blocked.com), we'll
> currently pop up the window to do the request. If the redirection fails a
> CSP check, what do we do? Close the window? Leave the window open at
> about:blank (as we end up doing (in Blink) for blocked frames)?

We should do the same as what we do for network errors as that is what
a failed CSP check should result in.


Not sure about unsafe-eval.


-- 
http://annevankesteren.nl/

Received on Monday, 10 February 2014 14:09:53 UTC