Re: Adding window.opener control to referrer-policy?

In the spirit of safe defaults, maybe we can just do: disable
window.opener for all referer policies that are not "unsafe-url" and
you can opt out when you do a window.open call (through another
argument to it or something)

cheers
dev

On 8 January 2015 at 01:05, Mike West <mkwst@google.com> wrote:
> I'd agree with Anne; this seems like a reasonable thing to add to CSP, but
> doesn't seem like it has much of anything to do with referrer policy.
> `disown-window-owner` seems fine as a strawman... Filed
> https://github.com/w3c/webappsec/issues/139 to poke at it.
>
> -mike
>
> --
> Mike West <mkwst@google.com>, @mikewest
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany,
> Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft:
> Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Thu, Jan 8, 2015 at 9:51 AM, Anne van Kesteren <annevk@annevk.nl> wrote:
>>
>> On Wed, Jan 7, 2015 at 8:56 PM, Brad Hill <hillbrad@gmail.com> wrote:
>> > Ah.  Thanks for the pointer to that discussion.  If that behavior is
>> > mandated by rel="noreferrer", I definitely think we should apply the
>> > same
>> > logic when a referrer policy is 'none', but it seems it would also be
>> > useful
>> > to be able to combine with any policy. (e.g. send origin-only referrer
>> > but
>> > also disown window.opener)
>>
>> Yeah I think having a CSP way to disable opener would be great. I'm
>> not sure we should couple it to the Referrer Policy in any way, it
>> seems better those are orthogonal and only coupled through
>> rel=noreferrer (e.g. once we add a way to set the referrer to none
>> through the Fetch API it won't impact opener either).
>>
>>
>> --
>> https://annevankesteren.nl/
>>
>

Received on Thursday, 8 January 2015 21:51:22 UTC