- From: Mike West <mkwst@google.com>
- Date: Mon, 20 Jul 2015 12:20:05 +0200
- To: "Eduardo' Vela <Nava>" <evn@google.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Received on Monday, 20 July 2015 10:20:54 UTC
On Mon, Jul 20, 2015 at 11:57 AM, Eduardo' Vela" <Nava> <evn@google.com> wrote: > doesn't location='blob:foo' also work? > As does `window.location = 'javascript:foo';`. *shrug* If this is a bypass we care about we could be more agressive by tying the CSP of the document that created a blob to the blob in some way, and applying that policy in conjunction with the policy of the embedding document. -mike
Received on Monday, 20 July 2015 10:20:54 UTC