Re: CSP: Blob URLs in new windows.

In a similar vein, I would like the ability to set the CSP on an iframe.
Currently I'm using DOMPurify to strip out javascript from the document and
then doing:

iframe.contentDocument = purifiedDocument

It would be great if I could set CSP using a better mechanism than adding a
meta tag to the purified document.

Conrad

On Mon, Jul 20, 2015 at 5:21 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Jul 20, 2015 at 6:40 AM, Mike West <mkwst@google.com> wrote:
> > Any objections to pushing CSP from an opener window to an openee in the
> same
> > cases where we'd push CSP from a parent frame to a child frame (e.g. when
> > the URL is a globally unique identifier)?
>
> A URL is never a globally unique identifier, and the origin of a blob
> URL is usually a normal-looking origin, but I agree that we should
> copy CSP to places that cannot set their own. And perhaps copy some
> other things too, such as Referrer Policy, what service worker to use,
> etc.
>
>
> --
> https://annevankesteren.nl/
>
>

Received on Monday, 20 July 2015 19:18:51 UTC