Re: CSP: Blob URLs in new windows.

I think the proposal to consistently flow CSP (and potentially other policy
and document state) to new browsing contexts created from "inline" content,
whether it is exactly a "child" or simply a new context makes a lot of
sense.  (especially since window.opener gives a reference that makes
SOP-based bypasses trivial)

I'd like to keep that issue distinct from the idea of being able to
programmatically set CSP on an iframe; that's a much trickier problem.
Conrad, can you please start a new thread for that use case and describe it
in detail?

thanks,

Brad Hill

On Mon, Jul 20, 2015 at 12:20 PM Conrad Irwin <conrad.irwin@gmail.com>
wrote:

> In a similar vein, I would like the ability to set the CSP on an iframe.
> Currently I'm using DOMPurify to strip out javascript from the document and
> then doing:
>
> iframe.contentDocument = purifiedDocument
>
> It would be great if I could set CSP using a better mechanism than adding
> a meta tag to the purified document.
>
> Conrad
>
> On Mon, Jul 20, 2015 at 5:21 AM, Anne van Kesteren <annevk@annevk.nl>
> wrote:
>
>> On Mon, Jul 20, 2015 at 6:40 AM, Mike West <mkwst@google.com> wrote:
>> > Any objections to pushing CSP from an opener window to an openee in the
>> same
>> > cases where we'd push CSP from a parent frame to a child frame (e.g.
>> when
>> > the URL is a globally unique identifier)?
>>
>> A URL is never a globally unique identifier, and the origin of a blob
>> URL is usually a normal-looking origin, but I agree that we should
>> copy CSP to places that cannot set their own. And perhaps copy some
>> other things too, such as Referrer Policy, what service worker to use,
>> etc.
>>
>>
>> --
>> https://annevankesteren.nl/
>>
>>
>