W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [CSP] Implementer differences: window.open

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 31 Oct 2014 07:28:48 -0700
Message-ID: <CAPfop_0Zf_QxrYM_5TMmgw11zn0RBESQaUfh5e-CzpP6Wo5PFg@mail.gmail.com>
To: Kevin Hill <khill@microsoft.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Since about:blank inherits the origin afaik, I think the Firefox behavior
is correct.

On 31 October 2014 07:20, Kevin Hill <khill@microsoft.com> wrote:

>  When calling window.open and navigating to a blank page the current
> behavior in Chrome is that no CSP policy is inherited.  While in FF, the
> behavior is that the CSP from the parent doc is inherited.
> At TPAC I’d mentioned to Dan/Mike.  I wanted to start this email to
> highlight the difference and provide opportunity for discussion on what we
> should do here.  If the policy isn’t inherited I see a potential by pass
> for the parent docs policy, maybe I am looking at this the wrong way.
> Dan/Mike thoughts?
Received on Friday, 31 October 2014 14:29:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:42 UTC