Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

target=_blank now should default to rel=noopener #1840

Closed
jumde opened this issue Oct 25, 2018 · 6 comments
Closed

target=_blank now should default to rel=noopener #1840

jumde opened this issue Oct 25, 2018 · 6 comments
Labels
closed/invalid priority/P3 The next thing for us to work on. It'll ride the trains. privacy privacy-pod Feature work for the Privacy & Web Compatibility pod QA/No security

Comments

@jumde
Copy link
Contributor

jumde commented Oct 25, 2018

https://webkit.org/blog/8475/release-notes-for-safari-technology-preview-68/
@jumde jumde added the security label Oct 25, 2018
@tildelowengrimm tildelowengrimm added this to the 1.x Backlog milestone Oct 25, 2018
@rebron
Copy link
Collaborator

rebron commented Oct 26, 2018

cc: @tomlowenthal can we get prioritization on this one and put in the right milestone, otherwise 1.x Backlog is fine.

@jumde jumde self-assigned this Oct 26, 2018
@tildelowengrimm
Copy link
Contributor

I think 1.x is right. If someone on the sec team wants to implement sooner that that, it can ride the trains up earlier.

@tildelowengrimm tildelowengrimm added the priority/P4 Planned work. We expect to get to it "soon". label Oct 31, 2018
@bershan2
Copy link

bershan2 commented Dec 16, 2018
edited
Loading

I'm interested in this issue, if someone specifies how exactly the final algorithm should look like, I will be happy to implement it myself. The following is how I understand this, please correct me if I'm wrong. I'll have to do some testing with all 3 browsers (Safari, Mozilla, Chrome) to see how they behave right now and what's in previews/behind flags. Also, may be, the Chromium itself is a better place for resolving this, e.g. behind a flag and just setting that flag for Brave during compilation?

First of all, this issue mirrors whatwg#4078 and Bugzilla#1503681, which is only only about anchors <a> (Mozilla also did <area> in the same ticket, but reportedly this tag is used so rarely that including it or not should not cause security or compatibility issues[4]). <form> and <base> are covered by a separate issue whatwg#2983. This issue does not deal with window.open().

Here is the tentative summary (please correct me if I'm wrong):

  • if no rel is specified, then "disown" the newly created context (window.opener must not be available) [1]
    (This is the new behavior)
  • if rel="noopener" is specified, then "disown" the newly created context
    (Old behavior)
  • if rel="noreferrer" is specified, then "disown" the newly created context[3]
    (Old behavior)
  • if NOT rel="noopener" and NOT rel="noreferrer" and rel="opener", only then make window.opener [1]
    (This is the new behavior. Specifically, rel="noopener" is stronger than rel="opener" no matter how they are ordered[2])

[1] WebKit plan https://trac.webkit.org/changeset/237144/webkit/
[2] Mozilla's tests: https://github.com/mozilla/gecko-dev/blob/master/dom/html/test/browser_targetBlankNoOpener.js
[3] as per current standard behavior

Note that [2] conflicts with comment [3] (just a comment)
[3] whatwg/html#4078 (comment)

[4] whatwg/html#4078 (comment)

Edit: grammar.

@bershan2
Copy link

See also: Chromium Issue 898942

@rebron rebron modified the milestone: 1.x Backlog Feb 7, 2019
@tildelowengrimm tildelowengrimm added the privacy-pod Feature work for the Privacy & Web Compatibility pod label Feb 12, 2020
@diracdeltas diracdeltas added priority/P3 The next thing for us to work on. It'll ride the trains. and removed priority/P4 Planned work. We expect to get to it "soon". labels Sep 22, 2020
@diracdeltas
Copy link
Member

bumping to p3 because there are a lot of instances in brave-core where we use target=_blank

@fmarier
Copy link
Member

fmarier commented Jan 6, 2021

This has landed in Chrome 88: https://bugs.chromium.org/p/chromium/issues/detail?id=898942#c29

@fmarier fmarier closed this as completed Jan 6, 2021
@fmarier fmarier added the QA/No label Jan 6, 2021
@tsteur tsteur mentioned this issue Oct 27, 2021
Merged
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
closed/invalid priority/P3 The next thing for us to work on. It'll ride the trains. privacy privacy-pod Feature work for the Privacy & Web Compatibility pod QA/No security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@fmarier @diracdeltas @tildelowengrimm @jumde @kjozwiak @rebron @bershan2