- From: Jochen Eisinger <eisinger@google.com>
- Date: Mon, 27 Apr 2015 16:40:13 +0000
- To: Anne van Kesteren <annevk@annevk.nl>
- Cc: Sid Stamm <sid@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
- Message-ID: <CALjhuidnyfoEy5BGUPOhkuxCdGHLGz+RCcSp2wnDezKLM-sZfQ@mail.gmail.com>
Since the href is a JavaScript url, the browser actually just executes some script and doesn't navigate at all. The script in the example happens to navigate the document, but it could add well insert a meta tag or alert() or something. I guess both inheriting the policy or not are fine. What does CSP do, if a page with a policy that disallows plugins creates an about:blank pop-up, can the pop-up run plugins? On Mon, Apr 27, 2015, 6:06 PM Anne van Kesteren <annevk@annevk.nl> wrote: > On Mon, Apr 27, 2015 at 5:32 PM, Jochen Eisinger <eisinger@google.com> > wrote: > > On Mon, Apr 27, 2015 at 5:19 AM Anne van Kesteren <annevk@annevk.nl> > wrote: > >> On Fri, Apr 24, 2015 at 3:13 PM, Sid Stamm <sid@mozilla.com> wrote: > >> > So what do you think? Copy the referrer policy or not? I'm leaning > >> > towards not, since we're creating a new document and the policy, > >> > delivered via HTML tag or CSP, is kind of associated with the document > >> > (not the principal). > >> > >> I think we should copy since before that new top-level browsing > >> context is navigated, it's about:blank and could not have a meaningful > >> policy set in any kind of way. > > > > you could still run some script on about:blank that inserts a meta tag > > The given case is > > <a href=... target=_blank> > > for which it seems unlikely you can execute script before the newly > created browsing context navigates unless you rewrite what clicking > that link does. > > > -- > https://annevankesteren.nl/ >
Received on Monday, 27 April 2015 16:40:43 UTC