window.opener should be set to null to protect against malicious code

[jayspadie]

monaco-editor version: 0.10.0
Browser: Any
OS: Any

Ctrl + clicking a recognized URL in Monaco opens it in a new tab using window.open() in OpenerService. To protect against malicious code in the linked site, particularly phishing attempts, the window.opener should be set to null to prevent the linked site from having access to change the location of the current page hosting Monaco.

Instead of:

window.open(resource.toString(true));

It should use something like:

var newTab = window.open();
if (newTab) {
    newTab.opener = null;
    newTab.location.href = resource.toString(true);
}

For additional information, see https://mathiasbynens.github.io/rel-noopener/ and add a link in Monaco to https://mathiasbynens.github.io/rel-noopener/malicious.html and observe that it redirects the page hosting Monaco.

[jayspadie]

Hi @alexandrudima , many would consider this a security bug with a relatively easy fix. They will be asking me when it will be fixed, so I thought I would preemptively ask you if there's any plan for another Monaco release anytime soon, and if perhaps this could be included. Thanks.

[alexdima]

Thank you @jayspadie

Published monaco-editor@0.10.1 with the suggested fix.

[hawkerm]

I'm running Monaco in a x-ms-webview, so 10.1.0 broke that as I wouldn't get the uri in the new window request anymore (only about:blank).

Saw there were some updates for this code path in the vscode tree to detect if it was a 'native' platform. Not sure if that'll detect the x-ms-webview case as well, but want to make sure this scenario can be covered too.

[alexdima]

@hawkerm I've extracted your comment to #628

[hawkerm]

@alexandrudima thanks a bunch!