Re: CSP: Blob URLs in new windows.

On Mon, Jul 20, 2015 at 11:57 AM, Eduardo' Vela" <Nava> <evn@google.com>
wrote:

> doesn't location='blob:foo' also work?
>

As does `window.location = 'javascript:foo';`. *shrug* If this is a bypass
we care about we could be more agressive by tying the CSP of the document
that created a blob to the blob in some way, and applying that policy in
conjunction with the policy of the embedding document.

-mike

Received on Monday, 20 July 2015 10:20:54 UTC