Bug 232243

Summary: Form navigations with target=_blank should not have an opener
Product: WebKit Reporter: Chris Dumez <cdumez>
Component: FormsAssignee: Chris Dumez <cdumez>
Status: RESOLVED FIXED    
Severity: Normal CC: achristensen, cdumez, changseok, clopez, darin, ehsan, esprehn+autocc, ews-watchlist, ggaren, gyuyoung.kim, mifenton, sam, webkit-bug-importer, wenson_hsieh, youennf
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Bug Depends on: 232170    
Bug Blocks:    
Attachments:
Description Flags
Patch
none
Patch
none
Patch none

Chris Dumez
Reported 2021-10-25 08:11:05 PDT
Form navigations with target=_blank should not have an opener, similarly to link navigations.
Attachments
Patch (8.25 KB, patch)
2021-10-25 08:13 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (12.04 KB, patch)
2021-10-25 09:33 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Patch (12.60 KB, patch)
2021-10-25 13:11 PDT, Chris Dumez 		no flags
DetailsFormatted DiffDiff
Show Obsolete (2) View All Add attachment proposed patch, testcase, etc.
Chris Dumez
Comment 1 2021-10-25 08:13:49 PDT
Created attachment 442372 [details] Patch
EWS Watchlist
Comment 2 2021-10-25 08:15:08 PDT
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Anne van Kesteren
Comment 3 2021-10-25 08:22:26 PDT
*** Bug 194398 has been marked as a duplicate of this bug. ***
Chris Dumez
Comment 4 2021-10-25 09:33:00 PDT
Created attachment 442377 [details] Patch
Sam Weinig
Comment 5 2021-10-25 09:55:27 PDT
Comment on attachment 442377 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442377&action=review > Source/WebCore/ChangeLog:10 > + on the <form>), similarly to link navigations. This is better for security and allows us to > + process-swap in more cases. Would be good to explain in a bit more detail the security benefits.
Darin Adler
Comment 6 2021-10-25 10:01:04 PDT
Comment on attachment 442377 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442377&action=review > Source/WebCore/html/HTMLFormElement.cpp:431 > + if (relAttributes.noopener || relAttributes.noreferrer || (!relAttributes.opener && document().settings().blankAnchorTargetImpliesNoOpenerEnabled() && equalIgnoringASCIICase(formSubmission->target(), "_blank"))) Why is blankAnchorTargetImpliesNoOpenerEnabled a setting? Change log doesn’t mention this. If "_blank" is a special value for target, I am surprised that we have the constant here. Is there anywhere else we treat it specially? Can we share a constant or a function to check it?
Chris Dumez
Comment 7 2021-10-25 10:03:44 PDT
Comment on attachment 442377 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442377&action=review >> Source/WebCore/html/HTMLFormElement.cpp:431 >> + if (relAttributes.noopener || relAttributes.noreferrer || (!relAttributes.opener && document().settings().blankAnchorTargetImpliesNoOpenerEnabled() && equalIgnoringASCIICase(formSubmission->target(), "_blank"))) > > Why is blankAnchorTargetImpliesNoOpenerEnabled a setting? Change log doesn’t mention this. > > If "_blank" is a special value for target, I am surprised that we have the constant here. Is there anywhere else we treat it specially? Can we share a constant or a function to check it? Even though this is now part of the specification, WebKit was the first one to imply "noopener" when using target=_blank. As a result, this was implemented behind an experimental feature flag. Now that this is in the specification and has shipped in Safari a while back, I guess we could drop the feature flag too. I will check if we have a _blank constant somewhere.
Chris Dumez
Comment 8 2021-10-25 12:35:59 PDT
(In reply to Chris Dumez from comment #7) > Comment on attachment 442377 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=442377&action=review > > >> Source/WebCore/html/HTMLFormElement.cpp:431 > >> + if (relAttributes.noopener || relAttributes.noreferrer || (!relAttributes.opener && document().settings().blankAnchorTargetImpliesNoOpenerEnabled() && equalIgnoringASCIICase(formSubmission->target(), "_blank"))) > > > > Why is blankAnchorTargetImpliesNoOpenerEnabled a setting? Change log doesn’t mention this. > > > > If "_blank" is a special value for target, I am surprised that we have the constant here. Is there anywhere else we treat it specially? Can we share a constant or a function to check it? > > Even though this is now part of the specification, WebKit was the first one > to imply "noopener" when using target=_blank. As a result, this was > implemented behind an experimental feature flag. Now that this is in the > specification and has shipped in Safari a while back, I guess we could drop > the feature flag too. > > I will check if we have a _blank constant somewhere. It doesn't seem we have a _blank constant somewhere currently. We could add one but I am not sure where would be the best place to add it.
Chris Dumez
Comment 9 2021-10-25 13:11:25 PDT
Created attachment 442403 [details] Patch
Darin Adler
Comment 10 2021-10-25 13:17:50 PDT
(In reply to Chris Dumez from comment #8) > It doesn't seem we have a _blank constant somewhere currently. We could add > one but I am not sure where would be the best place to add it. I will take care of this next time I have a chance; I’ll look at the different uses of "_blank" and try to figure out how to make them share a constant. Or maybe share a function. Presumably the different places that process target frame names have some shared patterns.
EWS
Comment 11 2021-10-25 14:27:28 PDT
Committed r284821 (243513@main): <https://commits.webkit.org/243513@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 442403 [details].
Radar WebKit Bug Importer
Comment 12 2021-10-25 14:28:20 PDT
<rdar://problem/84630994>
Note You need to log in before you can comment on or make changes to this bug.