W3C home > Mailing lists > Public > public-webappsec@w3.org > April 2015

Re: [REFERRER] policy inheritance via javascript: URI and new document

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 30 Apr 2015 10:45:06 +0200
Message-ID: <CADnb78i1f_hDC_=Mt0wqrLkQgib+_10YYiSeSgNQJS1OEZjvTw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: Jochen Eisinger <eisinger@google.com>, Sid Stamm <sid@mozilla.com>, WebAppSec WG <public-webappsec@w3.org>
On Tue, Apr 28, 2015 at 4:35 PM, Mike West <mkwst@google.com> wrote:
> I think that logic would have to carry across to new documents created via
> `window.open`. Until that context navigates, it's fairly indistinguishable
> from the context that created it.

Note that

  <a href=http://example.com/ target=_blank>

is fairly indistinguishable from that case and we should inherit there
too. Because indeed, an about:blank context is created for which no
meaningful policy is set. So it better match the one from its creator
otherwise you have a way out.

Received on Thursday, 30 April 2015 08:45:35 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:48 UTC