I'll have to look into Chrome's behavior here. If we inherit the origin (and I guess we have to in order to enable `document.write`ing into the new document), we should inherit the CSP as well. -mike -- Mike West <mkwst@google.com> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91 Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany Registergericht und -nummer: Hamburg, HRB 86891 Sitz der Gesellschaft: Hamburg Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Fri, Oct 31, 2014 at 3:28 PM, Devdatta Akhawe <dev.akhawe@gmail.com> wrote: > Since about:blank inherits the origin afaik, I think the Firefox behavior > is correct. > > On 31 October 2014 07:20, Kevin Hill <khill@microsoft.com> wrote: > >> When calling window.open and navigating to a blank page the current >> behavior in Chrome is that no CSP policy is inherited. While in FF, the >> behavior is that the CSP from the parent doc is inherited. >> >> >> >> At TPAC I’d mentioned to Dan/Mike. I wanted to start this email to >> highlight the difference and provide opportunity for discussion on what we >> should do here. If the policy isn’t inherited I see a potential by pass >> for the parent docs policy, maybe I am looking at this the wrong way. >> >> >> >> Dan/Mike thoughts? >> > >
Received on Monday, 3 November 2014 19:56:29 UTC