- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 30 Apr 2015 10:45:06 +0200
- To: Mike West <mkwst@google.com>
- Cc: Jochen Eisinger <eisinger@google.com>, Sid Stamm <sid@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Apr 28, 2015 at 4:35 PM, Mike West <mkwst@google.com> wrote: > I think that logic would have to carry across to new documents created via > `window.open`. Until that context navigates, it's fairly indistinguishable > from the context that created it. Note that <a href=http://example.com/ target=_blank> is fairly indistinguishable from that case and we should inherit there too. Because indeed, an about:blank context is created for which no meaningful policy is set. So it better match the one from its creator otherwise you have a way out. -- https://annevankesteren.nl/
Received on Thursday, 30 April 2015 08:45:35 UTC