I'd agree with Anne; this seems like a reasonable thing to add to CSP, but doesn't seem like it has much of anything to do with referrer policy. `disown-window-owner` seems fine as a strawman... Filed https://github.com/w3c/webappsec/issues/139 to poke at it. -mike -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) On Thu, Jan 8, 2015 at 9:51 AM, Anne van Kesteren <annevk@annevk.nl> wrote: > On Wed, Jan 7, 2015 at 8:56 PM, Brad Hill <hillbrad@gmail.com> wrote: > > Ah. Thanks for the pointer to that discussion. If that behavior is > > mandated by rel="noreferrer", I definitely think we should apply the same > > logic when a referrer policy is 'none', but it seems it would also be > useful > > to be able to combine with any policy. (e.g. send origin-only referrer > but > > also disown window.opener) > > Yeah I think having a CSP way to disable opener would be great. I'm > not sure we should couple it to the Referrer Policy in any way, it > seems better those are orthogonal and only coupled through > rel=noreferrer (e.g. once we add a way to set the referrer to none > through the Fetch API it won't impact opener either). > > > -- > https://annevankesteren.nl/ > >
Received on Thursday, 8 January 2015 09:06:14 UTC