W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [REFERRER] policy inheritance via javascript: URI and new document

From: Jochen Eisinger <eisinger@google.com>
Date: Mon, 27 Apr 2015 16:40:13 +0000
Message-ID: <CALjhuidnyfoEy5BGUPOhkuxCdGHLGz+RCcSp2wnDezKLM-sZfQ@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Sid Stamm <sid@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
Since the href is a JavaScript url, the browser actually just executes some
script and doesn't navigate at all. The script in the example happens to
navigate the document, but it could add well insert a meta tag or alert()
or something.

I guess both inheriting the policy or not are fine.

What does CSP do, if a page with a policy that disallows plugins creates an
about:blank pop-up, can the pop-up run plugins?

On Mon, Apr 27, 2015, 6:06 PM Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Apr 27, 2015 at 5:32 PM, Jochen Eisinger <eisinger@google.com>
> wrote:
> > On Mon, Apr 27, 2015 at 5:19 AM Anne van Kesteren <annevk@annevk.nl>
> wrote:
> >> On Fri, Apr 24, 2015 at 3:13 PM, Sid Stamm <sid@mozilla.com> wrote:
> >> > So what do you think?  Copy the referrer policy or not?  I'm leaning
> >> > towards not, since we're creating a new document and the policy,
> >> > delivered via HTML tag or CSP, is kind of associated with the document
> >> > (not the principal).
> >>
> >> I think we should copy since before that new top-level browsing
> >> context is navigated, it's about:blank and could not have a meaningful
> >> policy set in any kind of way.
> >
> > you could still run some script on about:blank that inserts a meta tag
>
> The given case is
>
>   <a href=... target=_blank>
>
> for which it seems unlikely you can execute script before the newly
> created browsing context navigates unless you rewrite what clicking
> that link does.
>
>
> --
> https://annevankesteren.nl/
>
Received on Monday, 27 April 2015 16:40:43 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC