W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [REFERRER] policy inheritance via javascript: URI and new document

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 27 Apr 2015 18:06:34 +0200
Message-ID: <CADnb78jo+S-9qE93OdLSq5=fKUooO+Oz4Tmz7OF0pOyp0pcwVQ@mail.gmail.com>
To: Jochen Eisinger <eisinger@google.com>
Cc: Sid Stamm <sid@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Apr 27, 2015 at 5:32 PM, Jochen Eisinger <eisinger@google.com> wrote:
> On Mon, Apr 27, 2015 at 5:19 AM Anne van Kesteren <annevk@annevk.nl> wrote:
>> On Fri, Apr 24, 2015 at 3:13 PM, Sid Stamm <sid@mozilla.com> wrote:
>> > So what do you think?  Copy the referrer policy or not?  I'm leaning
>> > towards not, since we're creating a new document and the policy,
>> > delivered via HTML tag or CSP, is kind of associated with the document
>> > (not the principal).
>>
>> I think we should copy since before that new top-level browsing
>> context is navigated, it's about:blank and could not have a meaningful
>> policy set in any kind of way.
>
> you could still run some script on about:blank that inserts a meta tag

The given case is

  <a href=... target=_blank>

for which it seems unlikely you can execute script before the newly
created browsing context navigates unless you rewrite what clicking
that link does.


-- 
https://annevankesteren.nl/
Received on Monday, 27 April 2015 16:07:02 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC