W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CSP: Blob URLs in new windows.

From: Mike West <mkwst@google.com>
Date: Mon, 20 Jul 2015 12:20:05 +0200
Message-ID: <CAKXHy=fH-Gc2-O0dd39445XSGOtUgbCUvBm6fzA7-fo9Pp+8mg@mail.gmail.com>
To: "Eduardo' Vela <Nava>" <evn@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 20, 2015 at 11:57 AM, Eduardo' Vela" <Nava> <evn@google.com>
wrote:

> doesn't location='blob:foo' also work?
>

As does `window.location = 'javascript:foo';`. *shrug* If this is a bypass
we care about we could be more agressive by tying the CSP of the document
that created a blob to the blob in some way, and applying that policy in
conjunction with the policy of the embedding document.

-mike
Received on Monday, 20 July 2015 10:20:54 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:13 UTC