Ensure that 'noopener' does not reuse a browsing context

[mikewest]

WIP: All of this would benefit from more substantial refactoring, but
let's decide that this is the right way to approach things first.

#1826

[mikewest]

This is basically the minimal change that does what I think ends up being sane. There's a lot of refactoring that could be done in this area to be more explicit and less repetitious; if this is the direction we want to go, then we can make it prettier.

WDYT, @bzbarsky, @annevk?

[annevk]

The old ID should be preserved somehow.

[mikewest]

Is there an existing pattern for maintaining old IDs?

[bzbarsky]

This looks good to me in general, but there are some edge cases that may not have been considered (mentioned below) that I would like to make sure we have agreement on before I spend more time on implementation....

[bzbarsky]

Doesn't this need to pass a value for the disown opener flag?

[bzbarsky]

And need to pass disown opener flag value here too...

[bzbarsky]

And here.

[bzbarsky]

Is "empty" the right terminology?

[mikewest]

Reworded to avoid the question, since it's not answered anywhere else in the document. :)

[bzbarsky]

OK, so let's think about edge cases:

window.open("", "_self", "noopener");
window.open("", "_top", "noopener");
window.open("", "_parent", "noopener");

[bzbarsky]

Huh, really? This is not what any browser does. Filed #1845 on this, but for purposes of this review I guess this is a preexisting issue.

[bzbarsky]

OK, so this is the thing we need to sort out for _self and company. Should a window be able to disown its own opener by doing open("", "_self", "noopener"), for example? Should such a call return null?

[mikewest]

Hrm, looking at this again, I don't think we actually need to disown the opener here since we're not setting the owner browsing context when choosing a browsing context. Changing this to something like "if disown opener is true, and target browsing context was just created, return null" should be enough.

[bzbarsky]

@mikewest So I'd like to make a concrete proposal, because shipping noopener in Firefox is currently blocked on this being resolved, unless we were to just make something up and ship it...

1. We take the changes from this pull request, so that noopener never reuses an existing named browsing context.
2. Noopener is ignored when targeting _self, _top, or _parent, so that it does not disown the opener in that case.
3. Possibly add verbiage to the effect that noopener is ignored when it ends up targeting an existing browsing context (e.g. if the UA diverts the window.open into an existing tab). Because really, it only makes sense to do the disowning thing if we in fact created a new browsing context...

[mikewest]

1. SGTM.
2. This sounds fine. The return value is somewhat unobservable, as _self, _top, and _parent will all unload the current document as a side-effect of navigating their target, but I agree that the disowning aspect of noopener should be ignored for the navigation.
3. We could add this as a note, though it's not clear to me that it would ever happen given the targeting rules in this patch and the suggestion you've made in 2 above.

[bzbarsky]

The return value is somewhat unobservable

It's totally observable. Off the top of my head, some ways:

1. Have a page window.open a same-origin window without using noopener. Then have that window navigate _self to another same-origin thing, with noopener stuff involved. Examine the state at various points from the original page that's sitting around.
2. Have a page window.open a same-origin window without using noopener. Then have that window navigate _self to a javascript: URL that returns a non-string. Examine the state from whichever page you want; the opened thing is not being unloaded at all here.

though it's not clear to me that it would ever happen given the targeting rules in this patch

It can totally happen, per spec. See https://html.spec.whatwg.org/multipage/browsers.html#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name step 5 the "If the user agent has been configured such that in this instance it will reuse the current browsing context" case. That basically says "If the UA is set up to treat _blank as a synonym for _self". Note also the "User agent implementors are encouraged to provide a way for users to configure the user agent to always reuse the current browsing context." bit after that point.

What probably makes the most sense is to just do the noopener disowning thing in the existing "If the chosen browsing context picked above, if any, is a new browsing context" section that currently does sandbox flag propagation.

[mikewest]

It's totally observable. Off the top of my head, some ways:

1. Have a page window.open a same-origin window without using noopener. Then have that window navigate _self to another same-origin thing, with noopener stuff involved. Examine the state at various points from the original page that's sitting around.

You're right. I hadn't considered something like window.opener.postMessage(window.open("", "_self", "noopener")).

1. Have a page window.open a same-origin window without using noopener. Then have that window navigate _self to a javascript: URL that returns a non-string. Examine the state from whichever page you want; the opened thing is not being unloaded at all here.

sigh I would dearly love to remove navigation to javascript: (string result or not) from the platform. :(

[mikewest]

What probably makes the most sense is to just do the noopener disowning thing in the existing "If the chosen browsing context picked above, if any, is a new browsing context" section that currently does sandbox flag propagation.

I don't actually think we need to actively disown the opener if we never set the "opener browsing context". Does disowning have side-effects other than removing that relationship? https://html.spec.whatwg.org/#disowned-its-opener is a bit light on expectations.

[bzbarsky]

Disowning is somewhat underspecified right now, yes.

I think the main question is what the impact of never setting (as opposed to disowning) the opener is on the https://html.spec.whatwg.org/multipage/browsers.html#script-closable concept. For that matter, it's not clear to me whether the thing opened via noopener should be script-closable, conceptually. Looks like in Chrome it is, both in the window.open case and in the <a> case....

[mikewest]

Hrm. They're script-closable because they're "a top-level browsing context whose session history contains only one Document." I guess I wouldn't be terribly sad if they were no longer script-closable, but it doesn't seem obviously wrong that they are.

Do you think we need to address that in this patch?

[bzbarsky]

They're script-closable because they're "a top-level browsing context whose session history contains only one Document."

Ah, interesting. I did verify that if I use the testcase from #1866 but rel="noopener" in test.html then the close button does not work in Chrome (but does in Firefox and Safari, at least). For the same testcase without rel="noopener" the button works in Chrome, even if I add a window.opener = null in test2.html.

So it certainly looks like at least in Chrome the behavior of rel="noopener" on a link is different from the same link without noopener followed by disowning the opener...

Do you think we need to address that in this patch?

I think what we should do in this patch is not set the opener at all, rather than disowning it. And we can sort out the script-closable behavior in general in #1866 because the current spec seems pretty broken to me (e.g. doesn't match UAs).

[domenic]

Is this perchance related to @annevk's earlier forays in #313/#323?

[bzbarsky]

Is this perchance related to @annevk's earlier forays in #313/#323?

In the sense that those tried to define what disowning actually means, yes.

[bzbarsky]

What I plan to implement in Gecko is that noopener does NOT return null in the _self/_parent/_top cases, and will write tests accordingly.

[annevk]

Closing this as this is not the correct fix and the specification has changed quite a bit (noopener is being passed around these days). Probably best to first figure out what everyone wants to align on and go from there.