Re: [CSP2]Is there a directive dealing with the window.opener.___location phishing concern?

In the meantime you can use a redirect through your own ___domain to null out
the window.opener property, or use the handle you get from window.open to
set it to null.

On Wed, Sep 30, 2015 at 12:05 PM Tanvi Vyas <tanvi@mozilla.com> wrote:

> Requiring that no referrer is sent in order to disown the opener is not
> great.  I hope we come up with a better mechanism soon.
>
> Jerry, in the meantime you may consider putting referrer information in a
> query parameter.  Third parties would have to learn about this parameter
> though and update their code.
>
>
> ~Tanvi
>
> On 9/30/15 6:45 AM, Jerry Qu wrote:
>
> Thank you for your reply!
>
> We can not remove the REFERER header to 3rd party web page,
> because of they use the header for Referral Analytics.
>
>
> On Wed, Sep 30, 2015 at 9:37 PM, Mike West <mkwst@google.com> wrote:
>
>> On Wed, Sep 30, 2015 at 2:43 PM, Jerry Qu <quguangyu@gmail.com> wrote:
>>
>>> I have read the CSP2 specs (http://www.w3.org/TR/CSP2/), and I found
>>> there is no directive to block this situation:
>>>
>>> if ( window.opener != null ) {
>>>     window.opener.___location.replace('http://www.evil.com');
>>> }
>>>
>>> Our website offer a web search service, we will open target link in a
>>> new tab,
>>> and some 3rd party website website use this script to redirect our page
>>> to an evil page.
>>>
>>> What can I do for this?
>>>
>>
>> Right now, you can open that window with `<a rel="noreferrer"
>> target="_blank">`, which will disown the opener in the new window.
>>
>> This is something we'd like to address in the next iteration of CSP: in
>> the somewhat near future, you can use whatever we come up with to address
>> https://github.com/w3c/webappsec/issues/139.
>>
>> -mike
>>
>
>
>
> --
> 非常感谢~
>
> 屈光宇（ImQuQu.com）
>
>
>