W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

CSP: Blob URLs in new windows.

From: Mike West <mkwst@google.com>
Date: Mon, 20 Jul 2015 06:40:23 +0200
Message-ID: <CAKXHy=c=cEhqSN7gzUoCU9cjaaQUneoSWeAwbGzpuJpyTjmq8w@mail.gmail.com>
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
https://code.google.com/p/chromium/issues/detail?id=511824 notes that
`blob:` URLs can be popped up into new windows, bypassing the inheritance
structure that CSP sets up for IFrames. Though this seems consistent with
the spec and with other browser's behavior, it's probably something we
ought to change in CSP3.

Any objections to pushing CSP from an opener window to an openee in the
same cases where we'd push CSP from a parent frame to a child frame (e.g.
when the URL is a globally unique identifier)?

Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
Received on Monday, 20 July 2015 04:41:14 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC