W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Adding window.opener control to referrer-policy?

From: Mike West <mkwst@google.com>
Date: Thu, 8 Jan 2015 10:05:26 +0100
Message-ID: <CAKXHy=fVxcMcykuO=1rGYcJO4jPT+8MmvdT1mzj2A=m2t9o7fA@mail.gmail.com>
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Brad Hill <hillbrad@gmail.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
I'd agree with Anne; this seems like a reasonable thing to add to CSP, but
doesn't seem like it has much of anything to do with referrer policy.
`disown-window-owner` seems fine as a strawman... Filed
https://github.com/w3c/webappsec/issues/139 to poke at it.


Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

On Thu, Jan 8, 2015 at 9:51 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Wed, Jan 7, 2015 at 8:56 PM, Brad Hill <hillbrad@gmail.com> wrote:
> > Ah.  Thanks for the pointer to that discussion.  If that behavior is
> > mandated by rel="noreferrer", I definitely think we should apply the same
> > logic when a referrer policy is 'none', but it seems it would also be
> useful
> > to be able to combine with any policy. (e.g. send origin-only referrer
> but
> > also disown window.opener)
> Yeah I think having a CSP way to disable opener would be great. I'm
> not sure we should couple it to the Referrer Policy in any way, it
> seems better those are orthogonal and only coupled through
> rel=noreferrer (e.g. once we add a way to set the referrer to none
> through the Fetch API it won't impact opener either).
> --
> https://annevankesteren.nl/
Received on Thursday, 8 January 2015 09:06:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:44 UTC