W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [REFERRER] policy inheritance via javascript: URI and new document

From: Jochen Eisinger <eisinger@google.com>
Date: Tue, 28 Apr 2015 14:42:13 +0000
Message-ID: <CALjhuifsUCiqUzKdp7qqyQtvcjDSmcarXpsfVpu0WnX3gN_zLQ@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Sid Stamm <sid@mozilla.com>, Anne van Kesteren <annevk@annevk.nl>, WebAppSec WG <public-webappsec@w3.org>
k, so you basically vote for the same behavior as Anne :)

On Tue, Apr 28, 2015 at 4:35 PM Mike West <mkwst@google.com> wrote:

> On Tue, Apr 28, 2015 at 7:30 AM, Jochen Eisinger <eisinger@google.com>
> wrote:
>> On Tue, Apr 28, 2015 at 4:24 PM Mike West <mkwst@google.com> wrote:
>>> This isn't a CSP issue, is it? It's a "What do you do with
>>> `target='blank_'` when applied to a `javascript:` URL?" question. Without
>>> thinking about it too hard, Chrome's behavior here seems pretty reasonable;
>>> `javascript:` isn't a navigational URL, it simply executes code in the
>>> current execution context. Resource requests and navigations that it
>>> produces ought to be governed by that context's referrer policy.
>> If you have a link href="javascript:.." target="blank_" we first create a
>> new document (or at least firefox does...) and then execute the script in
>> that context.
>> The question is, what policies do apply to that new document?
> Ok, so the new window is somewhat of a red herring. We have the same issue
> for `iframe`, don't we? That is, what CSP ought apply to the document
> created inside `<iframe src='about:blank'></iframe>`? I hope the spec says
> we inherit in that case. I know we will for `blob:`-style embeddings, and
> `about:blank` is the same.
> I think that logic would have to carry across to new documents created via
> `window.open`. Until that context navigates, it's fairly indistinguishable
> from the context that created it.
> -mike
Received on Tuesday, 28 April 2015 14:42:42 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC