- From: Anne van Kesteren <annevk@annevk.nl>
- Date: Thu, 27 Apr 2017 16:19:43 +0200
- To: Mike West <mkwst@google.com>
- Cc: Artur Janc <aaj@google.com>, Alex Russell <slightlyoff@google.com>, Emily Stark <estark@google.com>, Jonathan Watt <jwatt@mozilla.com>, "public-webappsec@w3.org" <public-webappsec@w3.org>
On Thu, Apr 27, 2017 at 12:57 PM, Mike West <mkwst@google.com> wrote: > As noted, I think that `disown-opener` is the wrong thing for a page to ask > for. Instead, I think something like > `block-cross-origin-access-via-windowproxy-and-etc` is more accurate. That > is, the goal isn't to prevent `window.opener` from being set on the > protected page. The goal instead is to prevent cross-origin pages that gain > a reference to the protected page (e.g. via `window.open` or `<iframe>` in > either direction) to use that reference to poke the protected page in ways > it might not expect. You mean like postMessage()? It would help if we're more explicit about the goals. > Assuming that `https://a.com/sekrit` served a response with > `content-security-policy: > block-cross-origin-access-via-windowproxy-and-etc`, I'd expect the following > behavior: > > 1. `var x = window.open('https://a.com/sekrit')` executed from > `https://evil.com/` would return a `WindowProxy` object, just as it does > today. But, accessing `x.location` or `x.postMessage`, or any of the other > cross-origin attributes would throw a `SecurityError`. That would only work post-navigation, but seems reasonable. What about using window.name to get a reference? Presumably that would fail too? This would only be for cross-origin? What about similar-origin? -- https://annevankesteren.nl/
Received on Thursday, 27 April 2017 14:20:14 UTC