Re: [CSP] Implementer differences: window.open from Devdatta Akhawe on 2014-10-31 (public-webappsec@w3.org from October 2014)

From: Devdatta Akhawe <dev.akhawe@gmail.com>
Date: Fri, 31 Oct 2014 07:28:48 -0700
To: Kevin Hill <khill@microsoft.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAPfop_0Zf_QxrYM_5TMmgw11zn0RBESQaUfh5e-CzpP6Wo5PFg@mail.gmail.com>

Since about:blank inherits the origin afaik, I think the Firefox behavior
is correct.

On 31 October 2014 07:20, Kevin Hill <khill@microsoft.com> wrote:

>  When calling window.open and navigating to a blank page the current
> behavior in Chrome is that no CSP policy is inherited.  While in FF, the
> behavior is that the CSP from the parent doc is inherited.
>
>
>
> At TPAC I’d mentioned to Dan/Mike.  I wanted to start this email to
> highlight the difference and provide opportunity for discussion on what we
> should do here.  If the policy isn’t inherited I see a potential by pass
> for the parent docs policy, maybe I am looking at this the wrong way.
>
>
>
> Dan/Mike thoughts?
>

Received on Friday, 31 October 2014 14:29:35 UTC