- From: Sid Stamm <sid@mozilla.com>
- Date: Tue, 28 Apr 2015 10:12:51 -0400
- To: Jochen Eisinger <eisinger@google.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Apr 27, 2015 at 12:40 PM, Jochen Eisinger <eisinger@google.com> wrote: > What does CSP do, if a page with a policy that disallows plugins creates an > about:blank pop-up, can the pop-up run plugins? The CSP spec is also not clear about this. I expected that in Firefox we'd block the load since the CSP is bound to the principal (the referrer policy is not). Test code below my signature. I tested in Firefox and Chrome using a javascript:-based image loader. In Firefox, CSP blocks both the "load here" and the "load in _blank" images. In Chrome, they're both the same since _blank is ignored for javascript: schemes. -Sid --- <?php header("Content-Security-Policy: default-src * 'unsafe-inline'; img-src 'none'"); $image = "https://www.w3.org/Icons/w3c_home"; $script = "javascript:(function() {var x=document.createElement('img'); x.src ='$image';document.body.appendChild(x);})();"; ?> <html> <body> <a href="<?=$script?>">Open here</a> <br/> <a href="<?=$script?>" target="_blank">Open there</a> </body> </html>
Received on Tuesday, 28 April 2015 14:13:21 UTC