-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
window.opener should be set to null to protect against malicious code #601
Comments
Hi @alexandrudima , many would consider this a security bug with a relatively easy fix. They will be asking me when it will be fixed, so I thought I would preemptively ask you if there's any plan for another Monaco release anytime soon, and if perhaps this could be included. Thanks. |
Thank you @jayspadie Published [email protected] with the suggested fix. |
I'm running Monaco in a x-ms-webview, so 10.1.0 broke that as I wouldn't get the uri in the new window request anymore (only about:blank). Saw there were some updates for this code path in the vscode tree to detect if it was a 'native' platform. Not sure if that'll detect the x-ms-webview case as well, but want to make sure this scenario can be covered too. |
@alexandrudima thanks a bunch! |
Fixes microsoft/monaco-editor#601 - window.opener should be set to null to protect against malicious code
Fixes microsoft/monaco-editor#601 - window.opener should be set to null to protect against malicious code
monaco-editor version: 0.10.0
Browser: Any
OS: Any
Ctrl + clicking a recognized URL in Monaco opens it in a new tab using window.open() in OpenerService. To protect against malicious code in the linked site, particularly phishing attempts, the window.opener should be set to null to prevent the linked site from having access to change the location of the current page hosting Monaco.
Instead of:
It should use something like:
For additional information, see https://mathiasbynens.github.io/rel-noopener/ and add a link in Monaco to https://mathiasbynens.github.io/rel-noopener/malicious.html and observe that it redirects the page hosting Monaco.
The text was updated successfully, but these errors were encountered: