- From: Mike West <mkwst@google.com>
- Date: Mon, 20 Jul 2015 06:40:23 +0200
- To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 20 July 2015 04:41:14 UTC
https://code.google.com/p/chromium/issues/detail?id=511824 notes that `blob:` URLs can be popped up into new windows, bypassing the inheritance structure that CSP sets up for IFrames. Though this seems consistent with the spec and with other browser's behavior, it's probably something we ought to change in CSP3. Any objections to pushing CSP from an opener window to an openee in the same cases where we'd push CSP from a parent frame to a child frame (e.g. when the URL is a globally unique identifier)? -- Mike West <mkwst@google.com>, @mikewest Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 20 July 2015 04:41:14 UTC