Bug 230194

Summary: window.open() uses incorrect global object to determine if navigation is allowed
Product: WebKit Reporter: Alexey Shvayka <ashvayka>
Component: New BugsAssignee: Alexey Shvayka <ashvayka>
Status: NEW ---    
Severity: Normal CC: ahmad.saleem792, cdumez, changseok, esprehn+autocc, ews-watchlist, ggaren, glenn, gyuyoung.kim, hi, japhet, joepeck, kangil.han, kondapallykalyan, mifenton, pangle, pdr, webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on:    
Bug Blocks: 231702    
Attachments:
Description Flags
Patch
none
Patch
ggaren: review+
Cross-browser research none

Description Alexey Shvayka 2021-09-11 14:54:12 PDT 
window.open() uses incorrect global object to determine if navigation is allowed
Comment 1 Alexey Shvayka 2021-09-11 14:57:39 PDT 
Created attachment 437965 [details]
Patch
Comment 2 Radar WebKit Bug Importer 2021-09-18 14:55:15 PDT 
<rdar://problem/83274097>
Comment 3 Alexey Shvayka 2021-09-21 09:29:56 PDT 
Created attachment 438829 [details]
Patch

Add <iframe sandbox> tests and ChangeLog.
Comment 4 Alexey Shvayka 2021-10-13 15:18:47 PDT 
Created attachment 441144 [details]
Cross-browser research

The spec seems to be way off the implementations, yet WebKit is way off other engines by using _current_ instead of _relevant_.
Comment 5 Geoffrey Garen 2022-01-19 12:49:25 PST 
Comment on attachment 438829 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=438829&action=review

r=me

> Source/WebCore/ChangeLog:21
> +        and "allow-same-origin" flags are present. If that's the acse, an <iframe> can simply

case

> Source/WebCore/ChangeLog:24
> +        Although per current spec [4], window.open() uses _entry_ global object pretty much

Entry global object would be an obvious security / pop-up blocking bug. Seems worth filing a spec issue to correct this.

> Source/WebCore/page/DOMWindow.cpp:2549
> -ExceptionOr<RefPtr<WindowProxy>> DOMWindow::open(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& urlStringToOpen, const AtomString& frameName, const String& windowFeaturesString)
> +ExceptionOr<RefPtr<WindowProxy>> DOMWindow::open(DOMWindow& firstWindow, const String& urlStringToOpen, const AtomString& frameName, const String& windowFeaturesString)

What is 'firstWindow'? Is it the entry global object, the incumbent global object, the top of stack global object, or something else?
Comment 6 Ahmad Saleem 2022-10-25 13:52:34 PDT 
Checking via BugID on Webkit GitHub, it seems that this bug has not landed. Do we need it? Thanks!