Bug 230194

Summary:

window.open() uses incorrect global object to determine if navigation is allowed

Product:

WebKit

Reporter:

Alexey Shvayka <ashvayka>

Component:

New Bugs

Assignee:

Alexey Shvayka <ashvayka>

Status:

NEW

Severity:

Normal

CC:

ahmad.saleem792, cdumez, changseok, esprehn+autocc, ews-watchlist, ggaren, glenn, gyuyoung.kim, hi, japhet, joepeck, kangil.han, kondapallykalyan, mifenton, pangle, pdr, webkit-bug-importer

Priority:

Keywords:

InRadar

Version:

WebKit Nightly Build

Hardware:

Unspecified

OS:

Unspecified

Bug Depends on:

Bug Blocks:

231702

Attachments:

Description	Flags
Patch	none
Patch	ggaren: review+
Cross-browser research	none

Alexey Shvayka

Reported 2021-09-11 14:54:12 PDT

window.open() uses incorrect global object to determine if navigation is allowed

Attachments
Patch (38.09 KB, patch) 2021-09-11 14:57 PDT, Alexey Shvayka	no flags	Details Formatted Diff Diff
Patch (48.32 KB, patch) 2021-09-21 09:29 PDT, Alexey Shvayka	ggaren: review+	Details Formatted Diff Diff
Cross-browser research (5.27 KB, text/markdown) 2021-10-13 15:18 PDT, Alexey Shvayka	no flags	Details
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.

Alexey Shvayka

Comment 1 2021-09-11 14:57:39 PDT

Created attachment 437965 [details] Patch

Radar WebKit Bug Importer

Comment 2 2021-09-18 14:55:15 PDT

<rdar://problem/83274097>

Alexey Shvayka

Comment 3 2021-09-21 09:29:56 PDT

Created attachment 438829 [details] Patch Add <iframe sandbox> tests and ChangeLog.

Alexey Shvayka

Comment 4 2021-10-13 15:18:47 PDT

Created attachment 441144 [details] Cross-browser research The spec seems to be way off the implementations, yet WebKit is way off other engines by using _current_ instead of _relevant_.

Geoffrey Garen

Comment 5 2022-01-19 12:49:25 PST

Comment on attachment 438829 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438829&action=review r=me > Source/WebCore/ChangeLog:21 > + and "allow-same-origin" flags are present. If that's the acse, an <iframe> can simply case > Source/WebCore/ChangeLog:24 > + Although per current spec [4], window.open() uses _entry_ global object pretty much Entry global object would be an obvious security / pop-up blocking bug. Seems worth filing a spec issue to correct this. > Source/WebCore/page/DOMWindow.cpp:2549 > -ExceptionOr<RefPtr<WindowProxy>> DOMWindow::open(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& urlStringToOpen, const AtomString& frameName, const String& windowFeaturesString) > +ExceptionOr<RefPtr<WindowProxy>> DOMWindow::open(DOMWindow& firstWindow, const String& urlStringToOpen, const AtomString& frameName, const String& windowFeaturesString) What is 'firstWindow'? Is it the entry global object, the incumbent global object, the top of stack global object, or something else?

Ahmad Saleem

Comment 6 2022-10-25 13:52:34 PDT

Checking via BugID on Webkit GitHub, it seems that this bug has not landed. Do we need it? Thanks!

Note You need to log in before you can comment on or make changes to this bug.