Re: [REFERRER] policy inheritance via javascript: URI and new document from Mike West on 2015-04-28 (public-webappsec@w3.org from April 2015)

From: Mike West <mkwst@google.com>
Date: Tue, 28 Apr 2015 07:24:31 -0700
To: Jochen Eisinger <eisinger@google.com>
Cc: Sid Stamm <sid@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAKXHy=dn9=OEUBQGcuVroG9zxpuEHPqjTmbbBenxhe3AHBUzqw@mail.gmail.com>

This isn't a CSP issue, is it? It's a "What do you do with
`target='blank_'` when applied to a `javascript:` URL?" question. Without
thinking about it too hard, Chrome's behavior here seems pretty reasonable;
`javascript:` isn't a navigational URL, it simply executes code in the
current execution context. Resource requests and navigations that it
produces ought to be governed by that context's referrer policy.

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Tue, Apr 28, 2015 at 7:13 AM, Jochen Eisinger <eisinger@google.com>
wrote:

> +Mike West <mkwst@google.com> to grab his attention
>
> Since we can deliver a referrer policy via CSP, I guess it would be great
> if they both behaved the same
>
> On Tue, Apr 28, 2015 at 4:12 PM Sid Stamm <sid@mozilla.com> wrote:
>
>> On Mon, Apr 27, 2015 at 12:40 PM, Jochen Eisinger <eisinger@google.com>
>> wrote:
>> > What does CSP do, if a page with a policy that disallows plugins
>> creates an
>> > about:blank pop-up, can the pop-up run plugins?
>>
>> The CSP spec is also not clear about this.  I expected that in Firefox
>> we'd block the load since the CSP is bound to the principal (the
>> referrer policy is not).
>>
>> Test code below my signature. I tested in Firefox and Chrome using a
>> javascript:-based image loader.  In Firefox, CSP blocks both the "load
>> here" and the "load in _blank" images.  In Chrome, they're both the
>> same since _blank is ignored for javascript: schemes.
>>
>> -Sid
>>
>> ---
>>
>> <?php
>>   header("Content-Security-Policy: default-src * 'unsafe-inline';
>> img-src 'none'");
>>   $image = "https://www.w3.org/Icons/w3c_home";
>>   $script = "javascript:(function() {var
>> x=document.createElement('img'); x.src
>> ='$image';document.body.appendChild(x);})();";
>> ?>
>> <html>
>>   <body>
>>     <a href="<?=$script?>">Open here</a>
>>     <br/>
>>     <a href="<?=$script?>" target="_blank">Open there</a>
>>   </body>
>> </html>
>>
>

Received on Tuesday, 28 April 2015 14:25:19 UTC