hi, I have read the CSP2 specs (http://www.w3.org/TR/CSP2/), and I found there is no directive to block this situation: if ( window.opener != null ) { window.opener.location.replace('http://www.evil.com'); } Our website offer a web search service, we will open target link in a new tab, and some 3rd party website website use this script to redirect our page to an evil page. What can I do for this? -- Thank you! https://imququ.comReceived on Wednesday, 30 September 2015 12:44:14 UTC
This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:15 UTC