Re: [REFERRER] policy inheritance via javascript: URI and new document

On Mon, Apr 27, 2015 at 12:40 PM, Jochen Eisinger <eisinger@google.com> wrote:
> What does CSP do, if a page with a policy that disallows plugins creates an
> about:blank pop-up, can the pop-up run plugins?

The CSP spec is also not clear about this.  I expected that in Firefox
we'd block the load since the CSP is bound to the principal (the
referrer policy is not).

Test code below my signature. I tested in Firefox and Chrome using a
javascript:-based image loader.  In Firefox, CSP blocks both the "load
here" and the "load in _blank" images.  In Chrome, they're both the
same since _blank is ignored for javascript: schemes.

-Sid

---

<?php
  header("Content-Security-Policy: default-src * 'unsafe-inline';
img-src 'none'");
  $image = "https://www.w3.org/Icons/w3c_home";
  $script = "javascript:(function() {var
x=document.createElement('img'); x.src
='$image';document.body.appendChild(x);})();";
?>
<html>
  <body>
    <a href="<?=$script?>">Open here</a>
    <br/>
    <a href="<?=$script?>" target="_blank">Open there</a>
  </body>
</html>

Received on Tuesday, 28 April 2015 14:13:21 UTC