W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [REFERRER] policy inheritance via javascript: URI and new document

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 27 Apr 2015 18:06:34 +0200
Message-ID: <CADnb78jo+S-9qE93OdLSq5=fKUooO+Oz4Tmz7OF0pOyp0pcwVQ@mail.gmail.com>
To: Jochen Eisinger <eisinger@google.com>
Cc: Sid Stamm <sid@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Apr 27, 2015 at 5:32 PM, Jochen Eisinger <eisinger@google.com> wrote:
> On Mon, Apr 27, 2015 at 5:19 AM Anne van Kesteren <annevk@annevk.nl> wrote:
>> On Fri, Apr 24, 2015 at 3:13 PM, Sid Stamm <sid@mozilla.com> wrote:
>> > So what do you think?  Copy the referrer policy or not?  I'm leaning
>> > towards not, since we're creating a new document and the policy,
>> > delivered via HTML tag or CSP, is kind of associated with the document
>> > (not the principal).
>> I think we should copy since before that new top-level browsing
>> context is navigated, it's about:blank and could not have a meaningful
>> policy set in any kind of way.
> you could still run some script on about:blank that inserts a meta tag

The given case is

  <a href=... target=_blank>

for which it seems unlikely you can execute script before the newly
created browsing context navigates unless you rewrite what clicking
that link does.

Received on Monday, 27 April 2015 16:07:02 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC