- From: Kevin Hill <khill@microsoft.com>
- Date: Fri, 31 Oct 2014 14:20:13 +0000
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Friday, 31 October 2014 14:20:44 UTC
When calling window.open and navigating to a blank page the current behavior in Chrome is that no CSP policy is inherited. While in FF, the behavior is that the CSP from the parent doc is inherited. At TPAC I'd mentioned to Dan/Mike. I wanted to start this email to highlight the difference and provide opportunity for discussion on what we should do here. If the policy isn't inherited I see a potential by pass for the parent docs policy, maybe I am looking at this the wrong way. Dan/Mike thoughts?
Received on Friday, 31 October 2014 14:20:44 UTC