Re: [CSP2]Is there a directive dealing with the window.opener.location phishing concern?

In the meantime you can use a redirect through your own domain to null out
the window.opener property, or use the handle you get from window.open to
set it to null.

On Wed, Sep 30, 2015 at 12:05 PM Tanvi Vyas <tanvi@mozilla.com> wrote:

> Requiring that no referrer is sent in order to disown the opener is not
> great.  I hope we come up with a better mechanism soon.
>
> Jerry, in the meantime you may consider putting referrer information in a
> query parameter.  Third parties would have to learn about this parameter
> though and update their code.
>
>
> ~Tanvi
>
> On 9/30/15 6:45 AM, Jerry Qu wrote:
>
> Thank you for your reply!
>
> We can not remove the REFERER header to 3rd party web page,
> because of they use the header for Referral Analytics.
>
>
> On Wed, Sep 30, 2015 at 9:37 PM, Mike West <mkwst@google.com> wrote:
>
>> On Wed, Sep 30, 2015 at 2:43 PM, Jerry Qu <quguangyu@gmail.com> wrote:
>>
>>> I have read the CSP2 specs (http://www.w3.org/TR/CSP2/), and I found
>>> there is no directive to block this situation:
>>>
>>> if ( window.opener != null ) {
>>>     window.opener.location.replace('http://www.evil.com');
>>> }
>>>
>>> Our website offer a web search service, we will open target link in a
>>> new tab,
>>> and some 3rd party website website use this script to redirect our page
>>> to an evil page.
>>>
>>> What can I do for this?
>>>
>>
>> Right now, you can open that window with `<a rel="noreferrer"
>> target="_blank">`, which will disown the opener in the new window.
>>
>> This is something we'd like to address in the next iteration of CSP: in
>> the somewhat near future, you can use whatever we come up with to address
>> https://github.com/w3c/webappsec/issues/139.
>>
>> -mike
>>
>
>
>
> --
> 非常感谢~
>
> 屈光宇（ImQuQu.com）
>
>
>