From 60f82624a9156dbe2734b9fedccc961136ed9503 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Thu, 31 Jan 2019 16:35:11 +0100 Subject: [PATCH 1/4] Make target=_blank imply noopener; support opener This reduces the number of coupled top-level browsing contexts and thereby reduces the attack surface somewhat. Tests: ... Fixes #4078. --- source | 58 +++++++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 45 insertions(+), 13 deletions(-) diff --git a/source b/source index 12ae6fe4cde..819c61acf6c 100644 --- a/source +++ b/source @@ -22629,16 +22629,15 @@ document.body.appendChild(wbr); unordered set of unique space-separated tokens. The allowed keywords and their meanings are defined below.

-

rel's - supported tokens are the keywords defined in - HTML link types which are allowed on a and - area elements, impact the processing model, and are supported by the user agent. The - possible supported tokens are - noreferrer and - noopener. - rel's - supported tokens must only include the tokens from - this list that the user agent implements the processing model for.

+

rel's supported tokens are the keywords defined in HTML link types which are allowed on a and area + elements, impact the processing model, and are supported by the user agent. The possible supported tokens are noreferrer, noopener, and opener. rel's supported tokens must only include the tokens from this + list that the user agent implements the processing model for.

Other specifications may add HTML link types as defined in Other link types, with the following additional requirements:

@@ -23232,9 +23231,19 @@ document.body.appendChild(wbr); targetAttributeValue to the result of getting an element's target given subject.

-
  • Let noopener be true if subject's link - types include the noreferrer - or noopener keyword

  • +
  • +

    Let noopener be true if one of the following is true:

    + + +
  • Let target and replace be the result of applying the rules for choosing a browsing context given targetAttributeValue, source, and @@ -23805,6 +23814,17 @@ document.body.appendChild(wbr); Additionally, has the same effect as noopener. + + opener + not allowed + Annotation + · + Creates an auxiliary browsing context if the hyperlink would otherwise create + a top-level browsing context that is not an auxiliary browsing + context (i.e., has "_blank" as target attribute value). + + pingback External Resource @@ -24608,6 +24628,18 @@ document.body.appendChild(wbr); +

    Link type "opener"
    + +

    The noopener keyword may be used with a and + area elements. This keyword does not create a hyperlink, but annotates any other hyperlinks created by the element (the + implied hyperlink, if no other keywords create one).

    + +

    The keyword indicates that any newly created top-level browsing context which + results from following the hyperlink will be an auxiliary browsing + context.

    + +
    Link type "pingback"

    The pingback keyword may be used with link From 39e01443ce076543c732d65604d02ff04c21b0a3 Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Thu, 31 Jan 2019 16:42:10 +0100 Subject: [PATCH 2/4] <3 travis --- source | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source b/source index 819c61acf6c..7bfd0bc2dfb 100644 --- a/source +++ b/source @@ -23237,7 +23237,7 @@ document.body.appendChild(wbr);

  • @@ -24630,7 +24631,7 @@ document.body.appendChild(wbr);
    Link type "opener"
    -

    The noopener keyword may be used with a and +

    The opener keyword may be used with a and area elements. This keyword does not create a hyperlink, but annotates any other hyperlinks created by the element (the implied hyperlink, if no other keywords create one).

    @@ -24639,6 +24640,17 @@ document.body.appendChild(wbr); results from following the hyperlink will be an auxiliary browsing context.

    +
    +

    In the following example the opener is used to allow the help + page popup to navigate its opener, e.g., in case what the user is looking for can be found + elsewhere. An alternative might be to use named target, rather than _blank, but this has the potential to clash with existing names.

    + +
    <a href="..." rel=opener target=_blank>Help!</a>
    +
    + +

    See also the processing model.

    +
    Link type "pingback"
    From 04f341386a2edfd8a9ead6bf9d839161488a7b0d Mon Sep 17 00:00:00 2001 From: Anne van Kesteren Date: Thu, 7 Feb 2019 13:18:18 +0100 Subject: [PATCH 4/4] nits --- source | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/source b/source index 5edc72086e2..c2e31495afb 100644 --- a/source +++ b/source @@ -24580,9 +24580,9 @@ document.body.appendChild(wbr); context. E.g., its window.opener attribute will be null.

    -

    See also the processing model where the branching between - an auxiliary browsing context and a top-level browsing context is - defined.

    +

    See also the processing model where the branching + between an auxiliary browsing context and a top-level browsing context + is defined.

    This typically creates an auxiliary browsing context (assuming there is no @@ -24640,17 +24640,17 @@ document.body.appendChild(wbr); results from following the hyperlink will be an auxiliary browsing context.

    +

    See also the processing model.

    +

    In the following example the opener is used to allow the help page popup to navigate its opener, e.g., in case what the user is looking for can be found - elsewhere. An alternative might be to use named target, rather than _blank, but this has the potential to clash with existing names.

    <a href="..." rel=opener target=_blank>Help!</a>
    -

    See also the processing model.

    -
    Link type "pingback"