W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [REFERRER] policy inheritance via javascript: URI and new document

From: Sid Stamm <sid@mozilla.com>
Date: Tue, 28 Apr 2015 10:12:51 -0400
Message-ID: <CAP=NJFM+zo5=8MOrsYD-amTPsZfz6OC2SbqUR-7pf4L2eqgx=A@mail.gmail.com>
To: Jochen Eisinger <eisinger@google.com>
Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Apr 27, 2015 at 12:40 PM, Jochen Eisinger <eisinger@google.com> wrote:
> What does CSP do, if a page with a policy that disallows plugins creates an
> about:blank pop-up, can the pop-up run plugins?

The CSP spec is also not clear about this.  I expected that in Firefox
we'd block the load since the CSP is bound to the principal (the
referrer policy is not).

Test code below my signature. I tested in Firefox and Chrome using a
javascript:-based image loader.  In Firefox, CSP blocks both the "load
here" and the "load in _blank" images.  In Chrome, they're both the
same since _blank is ignored for javascript: schemes.

-Sid

---

<?php
  header("Content-Security-Policy: default-src * 'unsafe-inline';
img-src 'none'");
  $image = "https://www.w3.org/Icons/w3c_home";
  $script = "javascript:(function() {var
x=document.createElement('img'); x.src
='$image';document.body.appendChild(x);})();";
?>
<html>
  <body>
    <a href="<?=$script?>">Open here</a>
    <br/>
    <a href="<?=$script?>" target="_blank">Open there</a>
  </body>
</html>
Received on Tuesday, 28 April 2015 14:13:21 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:12 UTC