W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

[CSP] Implementer differences: window.open

From: Kevin Hill <khill@microsoft.com>
Date: Fri, 31 Oct 2014 14:20:13 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <c4935bac10be4dc5b6335a569a7aa06e@SN2PR03MB031.namprd03.prod.outlook.com>
When calling window.open and navigating to a blank page the current behavior in Chrome is that no CSP policy is inherited.  While in FF, the behavior is that the CSP from the parent doc is inherited.

At TPAC I'd mentioned to Dan/Mike.  I wanted to start this email to highlight the difference and provide opportunity for discussion on what we should do here.  If the policy isn't inherited I see a potential by pass for the parent docs policy, maybe I am looking at this the wrong way.

Dan/Mike thoughts?
Received on Friday, 31 October 2014 14:20:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC