Following up on bug 943460 and discussion with bz: We should not be setting CSP on a document whose principal aliases some other document. Rather than special-casing apps (as in bug 943460), we may need a new API to indicate on a channel that (not only does it have an onwer, but) the principal is shared with some other document and use this avoid setting CSP.
Paul, what do you think? Can we mark this one as INVALID?
Component: Security → DOM: Security
Yes I think so.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID
Actually, Christoph/Henry, does bug 1251152 reintroduce a need for this bug. My guess is 'no' since 1251152 doesn't affect nsDocument.cpp, but I'm not sure.
(In reply to Paul Theriault [:pauljt] from comment #3) > Actually, Christoph/Henry, does bug 1251152 reintroduce a need for this bug. > My guess is 'no' since 1251152 doesn't affect nsDocument.cpp, but I'm not > sure. Nope, I am fairly certain this is not the case. about:newtab can be forwarded to an external URL. We would then load that URL like any other website within the browser but enforce additonal security checks on such loads which are initiated by setting additional security flags within the AboutProtocolHandler.
You need to log in before you can comment on or make changes to this bug.