W3C home > Mailing lists > Public > public-webappsec@w3.org > November 2014

Re: [CSP] Implementer differences: window.open

From: Mike West <mkwst@google.com>
Date: Mon, 3 Nov 2014 20:55:39 +0100
Message-ID: <CAKXHy=fLtxVo5VORdPjsCyEruMLvZCJYkaftKZ-hMQ9=ZsoYCQ@mail.gmail.com>
To: Devdatta Akhawe <dev.akhawe@gmail.com>
Cc: Kevin Hill <khill@microsoft.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I'll have to look into Chrome's behavior here. If we inherit the origin
(and I guess we have to in order to enable `document.write`ing into the new
document), we should inherit the CSP as well.

-mike

--
Mike West <mkwst@google.com>
Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
Registergericht und -nummer: Hamburg, HRB 86891
Sitz der Gesellschaft: Hamburg
Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Fri, Oct 31, 2014 at 3:28 PM, Devdatta Akhawe <dev.akhawe@gmail.com>
wrote:

> Since about:blank inherits the origin afaik, I think the Firefox behavior
> is correct.
>
> On 31 October 2014 07:20, Kevin Hill <khill@microsoft.com> wrote:
>
>>  When calling window.open and navigating to a blank page the current
>> behavior in Chrome is that no CSP policy is inherited.  While in FF, the
>> behavior is that the CSP from the parent doc is inherited.
>>
>>
>>
>> At TPAC I’d mentioned to Dan/Mike.  I wanted to start this email to
>> highlight the difference and provide opportunity for discussion on what we
>> should do here.  If the policy isn’t inherited I see a potential by pass
>> for the parent docs policy, maybe I am looking at this the wrong way.
>>
>>
>>
>> Dan/Mike thoughts?
>>
>
>
Received on Monday, 3 November 2014 19:56:29 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC