- From: Sid Stamm <sid@mozilla.com>
- Date: Tue, 28 Apr 2015 10:12:51 -0400
- To: Jochen Eisinger <eisinger@google.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
On Mon, Apr 27, 2015 at 12:40 PM, Jochen Eisinger <eisinger@google.com> wrote:
> What does CSP do, if a page with a policy that disallows plugins creates an
> about:blank pop-up, can the pop-up run plugins?
The CSP spec is also not clear about this. I expected that in Firefox
we'd block the load since the CSP is bound to the principal (the
referrer policy is not).
Test code below my signature. I tested in Firefox and Chrome using a
javascript:-based image loader. In Firefox, CSP blocks both the "load
here" and the "load in _blank" images. In Chrome, they're both the
same since _blank is ignored for javascript: schemes.
-Sid
---
<?php
header("Content-Security-Policy: default-src * 'unsafe-inline';
img-src 'none'");
$image = "https://www.w3.org/Icons/w3c_home";
$script = "javascript:(function() {var
x=document.createElement('img'); x.src
='$image';document.body.appendChild(x);})();";
?>
<html>
<body>
<a href="<?=$script?>">Open here</a>
<br/>
<a href="<?=$script?>" target="_blank">Open there</a>
</body>
</html>
Received on Tuesday, 28 April 2015 14:13:21 UTC