Issue metadata
Sign in to add a comment
|
CSP form-action 'self' doesn't allow same-origin redirect in form action opened in a new window with target="_blank"
Reported by
dragory...@gmail.com,
Jan 30 2018
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/64.0.3282.119 Safari/537.36 Steps to reproduce the problem: 1. Set Content-Security-Policy to "form-action 'self'" 2. Create a form with target="_blank" 3. Add a redirect to the same origin in the script referenced by the form's action 4. Submit the form What is the expected behavior? Redirect to the same origin should be allowed in the opened window What went wrong? Redirect to the same origin is disallowed by CSP in the opened window Did this work before? Yes 63 Chrome version: 64.0.3282.119 Channel: stable OS Version: 10.0 Flash Version: Example code to reproduce: https://gist.github.com/Dragory/a7b9215e56304890ab5ac5b841465c29 Live version: https://dragory.net/misc/csp-bug.php
,
Jan 30 2018
Duping this against the other bug, thanks for the report!
,
May 8 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by dragory...@gmail.com
, Jan 30 2018