W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CSP: Blob URLs in new windows.

From: Anne van Kesteren <annevk@annevk.nl>
Date: Mon, 20 Jul 2015 14:21:59 +0200
Message-ID: <CADnb78h-R8cHj+ZrvpYVTbDhT2tE1KOq4k6qF0y6bDNzHTaJGw@mail.gmail.com>
To: Mike West <mkwst@google.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On Mon, Jul 20, 2015 at 6:40 AM, Mike West <mkwst@google.com> wrote:
> Any objections to pushing CSP from an opener window to an openee in the same
> cases where we'd push CSP from a parent frame to a child frame (e.g. when
> the URL is a globally unique identifier)?

A URL is never a globally unique identifier, and the origin of a blob
URL is usually a normal-looking origin, but I agree that we should
copy CSP to places that cannot set their own. And perhaps copy some
other things too, such as Referrer Policy, what service worker to use,

Received on Monday, 20 July 2015 12:22:24 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC