Windows opened via <a target=_blank> should not have an opener by default #4078
Comments
|
There's a lot of discussion online by web developers who were surprised by the default opener policy. It's a common source of security bugs. https://news.ycombinator.com/item?id=11553740 |
|
Previous discussions wherein we considered variants of this too risky to attempt: #2119 #2047 . I'm not sure anyone considered limiting it only to target=_blank. If you search for "opener" on this tracker there are a bunch of still-open issues. Some are in this area but a lot seem to be about the spec being unclear/broken around browsing context names and opener-disowning. /cc @whatwg/security and @csreis |
|
To rephrase OP, the suggestion here would be that (I like it, if web-compatible.) |
|
I'd love to see this as well. Looking at #2047, I guess the main question is whether OAuth flows use target=_blank or not (and if so, if they could be updated to use named windows). /cc @hillbrad for thoughts on that, and @mikewest for thoughts on making noopener the default behavior in the target=_blank case. |
|
I did some very early testing with regards to OAuth, I tried both Facebook and Google Oauth on several top sites and both still seem to work (the newly opened window still gets an opener). They are likely relying on window.open() rather than URLs tested:
|
|
This sounds like an interesting proposal. Would the newly opened thing also not be targetable by name from the page that opened it, to sever links in both directions? |
|
@bzbarsky Yes the proposal is to sever the link in both directions. I think that’s what the “top-level browsing context” phrase attempts to specify. Note that the newly opened thing initially has no targetable name (because it is _blank), so observable cases of this detail are probably rare — but I guess the loaded page could in theory set window.name, making the behavior observable. |
Right, that would be the case to worry about. |
|
New top-level browsing context was indeed meant to indicate a new name bucket as well. Digression on name bucketsThere are some oddities with Defining the name bucket is #1440 and to some extent #313 is also about that. For both having a complete description of what browsers do today would help a lot (or pointers to the relevant algorithms). |
|
Will experiment with the new behavior in WebKit via |
https://bugs.webkit.org/show_bug.cgi?id=190481 Reviewed by Alex Christensen. Source/WebCore: As an experiment, try and make it so that target=_blank on anchors implies `rel=noopener` for improved security. WebContent can then request an opener relationship by using `rel=opener` instead. This change was discussed at: - whatwg/html#4078 We want to attempt this change is STP to see if it is Web-compatible. Preliminary testing seems to indicate that OAuth workflows still work. * html/HTMLAnchorElement.cpp: (WebCore::HTMLAnchorElement::parseAttribute): (WebCore::HTMLAnchorElement::handleClick): (WebCore::HTMLAnchorElement::effectiveTarget const): * html/HTMLAnchorElement.h: * page/RuntimeEnabledFeatures.h: (WebCore::RuntimeEnabledFeatures::setBlankAnchorTargetImpliesNoOpenerEnabled): (WebCore::RuntimeEnabledFeatures::blankAnchorTargetImpliesNoOpenerEnabled const): Source/WebKit: * Shared/WebPreferences.yaml: Tools: Add API test coverage to make sure we can now swap process when target=_blank is specified on an anchor but rel=noopener is not. * TestWebKitAPI/Tests/WebKitCocoa/ProcessSwapOnNavigation.mm: LayoutTests: Update existing tests to reflect behavior change. * TestExpectations: * http/tests/navigation/no-referrer-reset.html: * http/tests/security/resources/referrer-policy-redirect-link.html: * http/tests/security/xss-DENIED-script-inject-into-inactive-window2-pson.html: * http/tests/security/xss-DENIED-script-inject-into-inactive-window2.html: * http/tests/security/xssAuditor/link-opens-new-window.html: git-svn-id: http://svn.webkit.org/repository/webkit/trunk@237144 268f45cc-cd09-0410-ab3c-d52691b4dbfc
|
Safari Technology Preview 68 contains this behavior change. https://webkit.org/blog/8475/release-notes-for-safari-technology-preview-68/ |
|
The target name concept for cross-documents control, communication, etc is broken from very beginning as given a global naming scope for all sites. I think this security gap could be solved by applying the app scope on top of name. So when window is opened or addressed the name is used only inside of this scope. Other little patches like adding extra parameter to anchors are the scotch patches on bumper. The problem should be addressed on fundamental principles level. |
|
@cdumez was it intentional to exclude |
|
Yes, it was intentional, to limit the risk of Web breakage. Although I agree with you that all these should be consistent, I'd like to do it incrementally so we can identify which ones are OK (or not) in terms of Web compatibility. For now, there was no reported regression that I know of from changing only I am not super worried about |
|
https://bugzilla.mozilla.org/show_bug.cgi?id=1503681 adds wpt tentative tests for Another thing that came up is that adding |
|
One concern which came up in our bug (which @annevk has linked above) was the interaction of multiple
|
|
I tried to clarify the semantics of |
…rea elements when no rel attribute is set, r=nika In case anchor and area elements have target=_blank and no rel=opener/noopener, this patch makes so that rel=noopener is implied. This feature is behind pref 'dom_targetBlankNoOpener_enabled'. See: whatwg/html#4078
…rea elements when no rel attribute is set, r=nika In case anchor and area elements have target=_blank and no rel=opener/noopener, this patch makes so that rel=noopener is implied. This feature is behind pref 'dom_targetBlankNoOpener_enabled'. See: whatwg/html#4078
…rea elements when no rel attribute is set, r=nika In case anchor and area elements have target=_blank and no rel=opener/noopener, this patch makes so that rel=noopener is implied. This feature is behind pref 'dom_targetBlankNoOpener_enabled'. See: whatwg/html#4078
…rea elements when no rel attribute is set, r=nika In case anchor and area elements have target=_blank and no rel=opener/noopener, this patch makes so that rel=noopener is implied. This feature is behind pref 'dom_targetBlankNoOpener_enabled'. See: whatwg/html#4078
…rea elements when no rel attribute is set, r=nika In case anchor and area elements have target=_blank and no rel=opener/noopener, this patch makes so that rel=noopener is implied. This feature is behind pref 'dom_targetBlankNoOpener_enabled'. See: whatwg/html#4078
…rea elements when no rel attribute is set, r=nika In case anchor and area elements have target=_blank and no rel=opener/noopener, this patch makes so that rel=noopener is implied. This feature is behind pref 'dom_targetBlankNoOpener_enabled'. See: whatwg/html#4078
According to whatwg/html#4078 we no longer need to set noopener nofollower as these are set by default
* external links in rich text blocks now opening in new tab According to whatwg/html#4078 we no longer need to set noopener nofollower as these are set by default Co-authored-by: Daniel Miranda <[email protected]>
Although it's no needed for modern web browser becuase target="_blank" already implies rel="noopener" behavior in them after following the spec See * whatwg/html#4078 * https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a#browser_compatibility
While HTML links [launch without an opener reference][spec], [`window.open`][vulnerability] provides a reference to the parent page through an auxiliary browsing context. Given untrusted URL input, this can lead to tabnabbing and phishing attacks. This change uses the [noopener] and [noreferrer] [window features] for the default link handler in the React renderer. [spec]: whatwg/html#4078 [vulnerability]: https://mathiasbynens.github.io/rel-noopener/ [window features]: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#windowfeatures [noopener]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noopener [noreferrer]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noreferrer
No longer relevant whatwg/html#4078
Windows opened via
<a target=_blank>currently have an opener unless specified otherwise viarel="noopener". While most developers expect a window opened viawindow.open()to have an opener, I believe most do not necessarily realize the same applies to windows opened via<a target=_blank>. It is unfortunately too rare to see Web developers userel="noopener"in cases where it can and should definitely be used, even on top Web sites (see for example articles on Google News).As a result, I would argue that we should switch the default behavior so that windows opened via
<a target=_blank>do not get an opener, except if the developers explicitly asks for one viarel="opener".This change would be beneficial for security: both in the general Web security aspect (e.g. not being able to navigate one's opener) but also for process isolation. For engines such as WebKit which do not currently support out of process iframes, this would allow for process swapping in more cases.
I understand this change could be risky for a compatibility point of view. It is hard - however - for me to tell how risky it would really be. Also, there would still be a way for Web content to get an opener if they really wanted to, either by using
window.open(), orrel="opener".We are considering experimenting with this new behavior in WebKit (via Safari Technology Preview) so I wanted to file this issue beforehand to gather some feedback and get a feel of how other browser vendors feel about this. For example, if you know of a good reason why we should definitely not do this, we'd really like know :)
The text was updated successfully, but these errors were encountered: