- From: Jerry Qu <quguangyu@gmail.com>
- Date: Wed, 30 Sep 2015 20:43:42 +0800
- To: WebAppSec WG <public-webappsec@w3.org>
Received on Wednesday, 30 September 2015 12:44:14 UTC
hi,
I have read the CSP2 specs (http://www.w3.org/TR/CSP2/), and I found there
is no directive to block this situation:
if ( window.opener != null ) {
window.opener.location.replace('http://www.evil.com');
}
Our website offer a web search service, we will open target link in a new
tab,
and some 3rd party website website use this script to redirect our page to
an evil page.
What can I do for this?
--
Thank you!
https://imququ.com
Received on Wednesday, 30 September 2015 12:44:14 UTC