CSP: Blob URLs in new windows. from Mike West on 2015-07-20 (public-webappsec@w3.org from July 2015)

From: Mike West <mkwst@google.com>
Date: Mon, 20 Jul 2015 06:40:23 +0200
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAKXHy=c=cEhqSN7gzUoCU9cjaaQUneoSWeAwbGzpuJpyTjmq8w@mail.gmail.com>

https://code.google.com/p/chromium/issues/detail?id=511824 notes that
`blob:` URLs can be popped up into new windows, bypassing the inheritance
structure that CSP sets up for IFrames. Though this seems consistent with
the spec and with other browser's behavior, it's probably something we
ought to change in CSP3.

Any objections to pushing CSP from an opener window to an openee in the
same cases where we'd push CSP from a parent frame to a child frame (e.g.
when the URL is a globally unique identifier)?

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München,
Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der
Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth
Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)

Received on Monday, 20 July 2015 04:41:14 UTC