W3C home > Mailing lists > Public > public-webappsec@w3.org > July 2015

Re: CSP: Blob URLs in new windows.

From: Brad Hill <hillbrad@gmail.com>
Date: Mon, 20 Jul 2015 21:33:58 +0000
Message-ID: <CAEeYn8iZ6Bk+p9hkxancSPnNnQv5-bTHOjjQrQUUJvTXg8gzEw@mail.gmail.com>
To: Conrad Irwin <conrad.irwin@gmail.com>, Anne van Kesteren <annevk@annevk.nl>
Cc: Mike West <mkwst@google.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
I think the proposal to consistently flow CSP (and potentially other policy
and document state) to new browsing contexts created from "inline" content,
whether it is exactly a "child" or simply a new context makes a lot of
sense.  (especially since window.opener gives a reference that makes
SOP-based bypasses trivial)

I'd like to keep that issue distinct from the idea of being able to
programmatically set CSP on an iframe; that's a much trickier problem.
Conrad, can you please start a new thread for that use case and describe it
in detail?


Brad Hill

On Mon, Jul 20, 2015 at 12:20 PM Conrad Irwin <conrad.irwin@gmail.com>

> In a similar vein, I would like the ability to set the CSP on an iframe.
> Currently I'm using DOMPurify to strip out javascript from the document and
> then doing:
> iframe.contentDocument = purifiedDocument
> It would be great if I could set CSP using a better mechanism than adding
> a meta tag to the purified document.
> Conrad
> On Mon, Jul 20, 2015 at 5:21 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>> On Mon, Jul 20, 2015 at 6:40 AM, Mike West <mkwst@google.com> wrote:
>> > Any objections to pushing CSP from an opener window to an openee in the
>> same
>> > cases where we'd push CSP from a parent frame to a child frame (e.g.
>> when
>> > the URL is a globally unique identifier)?
>> A URL is never a globally unique identifier, and the origin of a blob
>> URL is usually a normal-looking origin, but I agree that we should
>> copy CSP to places that cannot set their own. And perhaps copy some
>> other things too, such as Referrer Policy, what service worker to use,
>> etc.
>> --
>> https://annevankesteren.nl/
Received on Monday, 20 July 2015 21:34:36 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:50 UTC