Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enforce noopener on cross-top-level-site Blob URLs #10731

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

Enforce noopener on cross-top-level-site Blob URLs #10731

Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
6b200c3
Enforce noopener on cross-top-level-site Blob URL navigations
recvfrom Oct 30, 2024
4786e67
Update callsites and pass urlRecord per review feedback
recvfrom Nov 4, 2024
a3aea62
Merge branch 'whatwg:main' into main
recvfrom Nov 5, 2024
bb5c5c8
Address most review feedback
recvfrom Nov 5, 2024
585567d
Update 'get noopener for window open' to take a URL record
recvfrom Nov 6, 2024
d6b6cd5
Make URL record optional for 'get noopener for window open'
recvfrom Nov 6, 2024
5a1700a
Fix whitespace in 'get noopener for window open'
recvfrom Nov 6, 2024
c624ae5
Address review feedback
recvfrom Nov 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
103 changes: 82 additions & 21 deletions source
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25532,7 +25532,8 @@ document.body.appendChild(wbr);</code></pre>
web content.</p>

<p>To <dfn>get an element's noopener</dfn>, given an <code>a</code>, <code>area</code>, or
<code>form</code> element <var>element</var> and a string <var>target</var>:</p>
<code>form</code> element <var>element</var>, a <span>URL record</span> <var>url</var>, and a
string <var>target</var>, perform the following steps. They return a boolean.</p>

<ol>
<li><p>If <var>element</var>'s <a href="#linkTypes">link types</a> include the <code
Expand All @@ -25544,6 +25545,23 @@ document.body.appendChild(wbr);</code></pre>
<span>ASCII case-insensitive</span> match for "<code data-x="">_blank</code>", then return
true.</p></li>

<li><p>If <var>url</var>'s <span data-x="concept-url-scheme">scheme</span> is
"<code data-x="">blob</code>", run these steps:</p>
recvfrom marked this conversation as resolved.
Show resolved Hide resolved

<ol>
<li><p>Let <var>blobOrigin</var> be <var>url</var>'s
<span data-x="concept-url-blob-entry">blob URL entry</span>'s
<span>environment settings object</span>'s <span>origin</span>.</p></li>

<li><p>Let <var>topLevelOrigin</var> be <var>element</var>'s <span>node navigable</span>'s
<span data-x="nav-document">active document</span>'s <span>relevant settings object</span>'s
<span>top-level origin</span>.</p></li>
recvfrom marked this conversation as resolved.
Show resolved Hide resolved

<li><p>If <var>blobOrigin</var>is not <span>same site</span> with <var>topLevelOrigin</var>,
recvfrom marked this conversation as resolved.
Show resolved Hide resolved
then return true.</p></li>
</ol>
recvfrom marked this conversation as resolved.
Show resolved Hide resolved
</li>

<li><p>Return false.</p></li>
</ol>

Expand All @@ -25564,8 +25582,14 @@ document.body.appendChild(wbr);</code></pre>
<var>targetAttributeValue</var> to the result of <span data-x="get an element's target">getting
an element's target</span> given <var>subject</var>.</p></li>

<li><p>Let <var>urlRecord</var> be the result of <span>encoding-parsing a URL</span> given
<var>subject</var>'s <code data-x="attr-hyperlink-href">href</code> attribute value, relative to
<var>subject</var>'s <span>node document</span>.</p></li>

<li><p>If <var>urlRecord</var> is failure, then return.</p></li>

<li><p>Let <var>noopener</var> be the result of <span data-x="get an element's noopener">getting
an element's noopener</span> with <var>subject</var> and
an element's noopener</span> with <var>subject</var>, <var>urlRecord</var>, and
<var>targetAttributeValue</var>.</p></li>

<li><p>Let <var>targetNavigable</var> be the first return value of applying <span>the rules for
Expand All @@ -25574,11 +25598,8 @@ document.body.appendChild(wbr);</code></pre>

<li><p>If <var>targetNavigable</var> is null, then return.</p></li>

<li><p>Let <var>urlString</var> be the result of <span>encoding-parsing-and-serializing a
URL</span> given <var>subject</var>'s <code data-x="attr-hyperlink-href">href</code> attribute
value, relative to <var>subject</var>'s <span>node document</span>.</p></li>

<li><p>If <var>urlString</var> is failure, then return.</p></li>
<li><p>Let <var>urlString</var> be the result of applying the
<span data-x="concept-url-serializer">URL serializer</span> to <var>urlRecord</var>.</p></li>
recvfrom marked this conversation as resolved.
Show resolved Hide resolved

<li><p>If <var>hyperlinkSuffix</var> is non-null, then append it to
<var>urlString</var>.</p></li>
Expand Down Expand Up @@ -59994,7 +60015,8 @@ fur
<var>formTarget</var>.</p></li>

<li><p>Let <var>noopener</var> be the result of <span data-x="get an element's noopener">getting
an element's noopener</span> with <var>form</var> and <var>target</var>.</p></li>
an element's noopener</span> with <var>form</var>, <var>parsed action</var>, and
<var>target</var>.</p></li>

<li><p>Let <var>targetNavigable</var> be the first return value of applying <span>the rules for
choosing a navigable</span> given <var>target</var>, <var>form</var>'s <span>node
Expand Down Expand Up @@ -89707,23 +89729,36 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri

<div w-nodev>

<p>The <dfn>window open steps</dfn>, given a string <var>url</var>, a string <var>target</var>,
and a string <var>features</var>, are as follows:</p>
<p>To <dfn>get noopener for window open</dfn>, given a string <var>url</var>, a
annevk marked this conversation as resolved.
Show resolved Hide resolved
<span>Document</span> <var>sourceDocument</var>, an <span>ordered map</span>
<var>tokenizedFeatures</var>, and a boolean <var>noreferrer</var>, perform the following steps.
They return a boolean.</p>

<ol>
<li><p>If the <span>event loop</span>'s <span>termination nesting level</span> is nonzero,
return null.</p></li>
<li><p>If <var>noreferrer</var> is true, return true.</p></li>
recvfrom marked this conversation as resolved.
Show resolved Hide resolved

<li><p>Let <var>sourceDocument</var> be the <span>entry global object</span>'s <span
data-x="concept-document-window">associated <code>Document</code></span>.</p></li>
<li><p>Let <var>maybeURL</var> be the result of <span>encoding-parsing a URL</span> given
<var>url</var>.</p></li>

<li><p>If <var>target</var> is the empty string, then set <var>target</var> to "<code
data-x="">_blank</code>".</p></li>
<li><p>If <var>maybeURL</var> is not failure and <var>maybeURL</var>'s
<span data-x="concept-url-scheme">scheme</span> is "<code data-x="">blob</code>", run these
steps:</p>
recvfrom marked this conversation as resolved.
Show resolved Hide resolved

<li><p>Let <var>tokenizedFeatures</var> be the result of <span
data-x="concept-window-open-features-tokenize">tokenizing</span> <var>features</var>.</p></li>
<ol>
<li><p>Let <var>blobOrigin</var> be <var>maybeURL</var>'s
<span data-x="concept-url-blob-entry">blob URL entry</span>'s
<span>environment settings object</span>'s <span>origin</span>.

<li><p>Let <var>noopener</var> and <var>noreferrer</var> be false.</p></li>
<li><p>Let <var>topLevelOrigin</var> be <var>sourceDocument</var>'s <span>node navigable</span>'s
recvfrom marked this conversation as resolved.
Show resolved Hide resolved
<span data-x="nav-document">active document</span>'s <span>relevant settings object</span>'s
<span>top-level origin</span>.</p></li>

<li><p>If <var>blobOrigin</var>is not <span>same site</span> with <var>topLevelOrigin</var>,
then return true.</p></li>
</ol>
</li>

<li><p>Let <var>noopener</var> be false.</p></li>

<li>
<p>If <var>tokenizedFeatures</var>["<code data-x="">noopener</code>"] <span data-x="map
Expand All @@ -89740,6 +89775,27 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
</ol>
</li>

<li><p>Return <var>noopener</var>.</p></li>
</ol>

<p>The <dfn>window open steps</dfn>, given a string <var>url</var>, a string <var>target</var>,
and a string <var>features</var>, are as follows:</p>

<ol>
<li><p>If the <span>event loop</span>'s <span>termination nesting level</span> is nonzero,
return null.</p></li>

<li><p>Let <var>sourceDocument</var> be the <span>entry global object</span>'s <span
data-x="concept-document-window">associated <code>Document</code></span>.</p></li>

<li><p>If <var>target</var> is the empty string, then set <var>target</var> to "<code
data-x="">_blank</code>".</p></li>

<li><p>Let <var>tokenizedFeatures</var> be the result of <span
data-x="concept-window-open-features-tokenize">tokenizing</span> <var>features</var>.</p></li>

<li><p>Let <var>noreferrer</var> be false.</p></li>

<li>
<p>If <var>tokenizedFeatures</var>["<code data-x="">noreferrer</code>"] <span data-x="map
exists">exists</span>, then:</p>
Expand All @@ -89755,10 +89811,15 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
</ol>
</li>

<li><p>Let <var>noopener</var> be the result of
<span data-x="get noopener for window open">getting noopener for window open</span> with
<var>url</var>, <var>sourceDocument</var>, <var>tokenizedFeatures</var>, and
<var>noreferrer</var>.</p></li>

<li><p>Let <var>referrerPolicy</var> be the empty string.</p></li>

<li><p>If <var>noreferrer</var> is true, then set <var>noopener</var> to true and set
<var>referrerPolicy</var> to "<code data-x="">no-referrer</code>".</p></li>
<li><p>If <var>noreferrer</var> is true, then set <var>referrerPolicy</var> to
"<code data-x="">no-referrer</code>".</p></li>

<li>
<p>Let <var>targetNavigable</var> and <var>windowType</var> be the result of applying <span>the
Expand Down