Re: CSP: Blob URLs in new windows. from Conrad Irwin on 2015-07-20 (public-webappsec@w3.org from July 2015)

From: Conrad Irwin <conrad.irwin@gmail.com>
Date: Mon, 20 Jul 2015 12:18:03 -0700
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAOTq_pv0fc-KxXyMFijEHHvWceFcs6jjJnMnctV4Aj4CeCH48g@mail.gmail.com>

In a similar vein, I would like the ability to set the CSP on an iframe.
Currently I'm using DOMPurify to strip out javascript from the document and
then doing:

iframe.contentDocument = purifiedDocument

It would be great if I could set CSP using a better mechanism than adding a
meta tag to the purified document.

Conrad

On Mon, Jul 20, 2015 at 5:21 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Mon, Jul 20, 2015 at 6:40 AM, Mike West <mkwst@google.com> wrote:
> > Any objections to pushing CSP from an opener window to an openee in the
> same
> > cases where we'd push CSP from a parent frame to a child frame (e.g. when
> > the URL is a globally unique identifier)?
>
> A URL is never a globally unique identifier, and the origin of a blob
> URL is usually a normal-looking origin, but I agree that we should
> copy CSP to places that cannot set their own. And perhaps copy some
> other things too, such as Referrer Policy, what service worker to use,
> etc.
>
>
> --
> https://annevankesteren.nl/
>
>

Received on Monday, 20 July 2015 19:18:51 UTC