Bug 230194 - window.open() uses incorrect global object to determine if navigation is allowed
Summary: window.open() uses incorrect global object to determine if navigation is allowed
Status: NEW
Alias: None
Product: WebKit
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: WebKit Nightly Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Alexey Shvayka
URL:
Keywords: InRadar
Depends on:
Blocks: 231702
  Show dependency treegraph
 
Reported: 2021-09-11 14:54 PDT by Alexey Shvayka
Modified: 2022-10-25 13:52 PDT (History)
17 users (show)

See Also:


Attachments
Patch (38.09 KB, patch)
2021-09-11 14:57 PDT, Alexey Shvayka
no flags Details | Formatted Diff | Diff
Patch (48.32 KB, patch)
2021-09-21 09:29 PDT, Alexey Shvayka
ggaren: review+
Details | Formatted Diff | Diff
Cross-browser research (5.27 KB, text/markdown)
2021-10-13 15:18 PDT, Alexey Shvayka
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Alexey Shvayka 2021-09-11 14:54:12 PDT
window.open() uses incorrect global object to determine if navigation is allowed
Comment 1 Alexey Shvayka 2021-09-11 14:57:39 PDT
Created attachment 437965 [details]
Patch
Comment 2 Radar WebKit Bug Importer 2021-09-18 14:55:15 PDT
<rdar://problem/83274097>
Comment 3 Alexey Shvayka 2021-09-21 09:29:56 PDT
Created attachment 438829 [details]
Patch

Add <iframe sandbox> tests and ChangeLog.
Comment 4 Alexey Shvayka 2021-10-13 15:18:47 PDT
Created attachment 441144 [details]
Cross-browser research

The spec seems to be way off the implementations, yet WebKit is way off other engines by using _current_ instead of _relevant_.
Comment 5 Geoffrey Garen 2022-01-19 12:49:25 PST
Comment on attachment 438829 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=438829&action=review

r=me

> Source/WebCore/ChangeLog:21
> +        and "allow-same-origin" flags are present. If that's the acse, an <iframe> can simply

case

> Source/WebCore/ChangeLog:24
> +        Although per current spec [4], window.open() uses _entry_ global object pretty much

Entry global object would be an obvious security / pop-up blocking bug. Seems worth filing a spec issue to correct this.

> Source/WebCore/page/DOMWindow.cpp:2549
> -ExceptionOr<RefPtr<WindowProxy>> DOMWindow::open(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& urlStringToOpen, const AtomString& frameName, const String& windowFeaturesString)
> +ExceptionOr<RefPtr<WindowProxy>> DOMWindow::open(DOMWindow& firstWindow, const String& urlStringToOpen, const AtomString& frameName, const String& windowFeaturesString)

What is 'firstWindow'? Is it the entry global object, the incumbent global object, the top of stack global object, or something else?
Comment 6 Ahmad Saleem 2022-10-25 13:52:34 PDT
Checking via BugID on Webkit GitHub, it seems that this bug has not landed. Do we need it? Thanks!