- From: Devdatta Akhawe <dev.akhawe@gmail.com>
- Date: Thu, 8 Jan 2015 13:50:35 -0800
- To: Mike West <mkwst@google.com>
- Cc: Anne van Kesteren <annevk@annevk.nl>, Brad Hill <hillbrad@gmail.com>, Boris Zbarsky <bzbarsky@mit.edu>, WebAppSec WG <public-webappsec@w3.org>, Ian Hickson <ian@hixie.ch>
In the spirit of safe defaults, maybe we can just do: disable window.opener for all referer policies that are not "unsafe-url" and you can opt out when you do a window.open call (through another argument to it or something) cheers dev On 8 January 2015 at 01:05, Mike West <mkwst@google.com> wrote: > I'd agree with Anne; this seems like a reasonable thing to add to CSP, but > doesn't seem like it has much of anything to do with referrer policy. > `disown-window-owner` seems fine as a strawman... Filed > https://github.com/w3c/webappsec/issues/139 to poke at it. > > -mike > > -- > Mike West <mkwst@google.com>, @mikewest > > Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, > Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: > Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores > (Sorry; I'm legally required to add this exciting detail to emails. Bleh.) > > On Thu, Jan 8, 2015 at 9:51 AM, Anne van Kesteren <annevk@annevk.nl> wrote: >> >> On Wed, Jan 7, 2015 at 8:56 PM, Brad Hill <hillbrad@gmail.com> wrote: >> > Ah. Thanks for the pointer to that discussion. If that behavior is >> > mandated by rel="noreferrer", I definitely think we should apply the >> > same >> > logic when a referrer policy is 'none', but it seems it would also be >> > useful >> > to be able to combine with any policy. (e.g. send origin-only referrer >> > but >> > also disown window.opener) >> >> Yeah I think having a CSP way to disable opener would be great. I'm >> not sure we should couple it to the Referrer Policy in any way, it >> seems better those are orthogonal and only coupled through >> rel=noreferrer (e.g. once we add a way to set the referrer to none >> through the Fetch API it won't impact opener either). >> >> >> -- >> https://annevankesteren.nl/ >> >
Received on Thursday, 8 January 2015 21:51:22 UTC