W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Adding window.opener control to referrer-policy?

From: Anne van Kesteren <annevk@annevk.nl>
Date: Thu, 8 Jan 2015 09:51:17 +0100
Message-ID: <CADnb78gse1Uh+kW2kSBRvS=cfh=OUF8hf4ps8XPjcvcjzvAD_Q@mail.gmail.com>
To: Brad Hill <hillbrad@gmail.com>
Cc: Boris Zbarsky <bzbarsky@mit.edu>, WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
On Wed, Jan 7, 2015 at 8:56 PM, Brad Hill <hillbrad@gmail.com> wrote:
> Ah.  Thanks for the pointer to that discussion.  If that behavior is
> mandated by rel="noreferrer", I definitely think we should apply the same
> logic when a referrer policy is 'none', but it seems it would also be useful
> to be able to combine with any policy. (e.g. send origin-only referrer but
> also disown window.opener)

Yeah I think having a CSP way to disable opener would be great. I'm
not sure we should couple it to the Referrer Policy in any way, it
seems better those are orthogonal and only coupled through
rel=noreferrer (e.g. once we add a way to set the referrer to none
through the Fetch API it won't impact opener either).

Received on Thursday, 8 January 2015 08:51:44 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC