RESOLVED FIXED 232243
Form navigations with target=_blank should not have an opener
https://bugs.webkit.org/show_bug.cgi?id=232243
Summary Form navigations with target=_blank should not have an opener
Chris Dumez
Reported 2021-10-25 08:11:05 PDT
Form navigations with target=_blank should not have an opener, similarly to link navigations.
Attachments
Patch (8.25 KB, patch)
2021-10-25 08:13 PDT, Chris Dumez
no flags
Patch (12.04 KB, patch)
2021-10-25 09:33 PDT, Chris Dumez
no flags
Patch (12.60 KB, patch)
2021-10-25 13:11 PDT, Chris Dumez
no flags
Chris Dumez
Comment 1 2021-10-25 08:13:49 PDT
EWS Watchlist
Comment 2 2021-10-25 08:15:08 PDT
This patch modifies the imported WPT tests. Please ensure that any changes on the tests (not coming from a WPT import) are exported to WPT. Please see https://trac.webkit.org/wiki/WPTExportProcess
Anne van Kesteren
Comment 3 2021-10-25 08:22:26 PDT
*** Bug 194398 has been marked as a duplicate of this bug. ***
Chris Dumez
Comment 4 2021-10-25 09:33:00 PDT
Sam Weinig
Comment 5 2021-10-25 09:55:27 PDT
Comment on attachment 442377 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442377&action=review > Source/WebCore/ChangeLog:10 > + on the <form>), similarly to link navigations. This is better for security and allows us to > + process-swap in more cases. Would be good to explain in a bit more detail the security benefits.
Darin Adler
Comment 6 2021-10-25 10:01:04 PDT
Comment on attachment 442377 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442377&action=review > Source/WebCore/html/HTMLFormElement.cpp:431 > + if (relAttributes.noopener || relAttributes.noreferrer || (!relAttributes.opener && document().settings().blankAnchorTargetImpliesNoOpenerEnabled() && equalIgnoringASCIICase(formSubmission->target(), "_blank"))) Why is blankAnchorTargetImpliesNoOpenerEnabled a setting? Change log doesn’t mention this. If "_blank" is a special value for target, I am surprised that we have the constant here. Is there anywhere else we treat it specially? Can we share a constant or a function to check it?
Chris Dumez
Comment 7 2021-10-25 10:03:44 PDT
Comment on attachment 442377 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=442377&action=review >> Source/WebCore/html/HTMLFormElement.cpp:431 >> + if (relAttributes.noopener || relAttributes.noreferrer || (!relAttributes.opener && document().settings().blankAnchorTargetImpliesNoOpenerEnabled() && equalIgnoringASCIICase(formSubmission->target(), "_blank"))) > > Why is blankAnchorTargetImpliesNoOpenerEnabled a setting? Change log doesn’t mention this. > > If "_blank" is a special value for target, I am surprised that we have the constant here. Is there anywhere else we treat it specially? Can we share a constant or a function to check it? Even though this is now part of the specification, WebKit was the first one to imply "noopener" when using target=_blank. As a result, this was implemented behind an experimental feature flag. Now that this is in the specification and has shipped in Safari a while back, I guess we could drop the feature flag too. I will check if we have a _blank constant somewhere.
Chris Dumez
Comment 8 2021-10-25 12:35:59 PDT
(In reply to Chris Dumez from comment #7) > Comment on attachment 442377 [details] > Patch > > View in context: > https://bugs.webkit.org/attachment.cgi?id=442377&action=review > > >> Source/WebCore/html/HTMLFormElement.cpp:431 > >> + if (relAttributes.noopener || relAttributes.noreferrer || (!relAttributes.opener && document().settings().blankAnchorTargetImpliesNoOpenerEnabled() && equalIgnoringASCIICase(formSubmission->target(), "_blank"))) > > > > Why is blankAnchorTargetImpliesNoOpenerEnabled a setting? Change log doesn’t mention this. > > > > If "_blank" is a special value for target, I am surprised that we have the constant here. Is there anywhere else we treat it specially? Can we share a constant or a function to check it? > > Even though this is now part of the specification, WebKit was the first one > to imply "noopener" when using target=_blank. As a result, this was > implemented behind an experimental feature flag. Now that this is in the > specification and has shipped in Safari a while back, I guess we could drop > the feature flag too. > > I will check if we have a _blank constant somewhere. It doesn't seem we have a _blank constant somewhere currently. We could add one but I am not sure where would be the best place to add it.
Chris Dumez
Comment 9 2021-10-25 13:11:25 PDT
Darin Adler
Comment 10 2021-10-25 13:17:50 PDT
(In reply to Chris Dumez from comment #8) > It doesn't seem we have a _blank constant somewhere currently. We could add > one but I am not sure where would be the best place to add it. I will take care of this next time I have a chance; I’ll look at the different uses of "_blank" and try to figure out how to make them share a constant. Or maybe share a function. Presumably the different places that process target frame names have some shared patterns.
EWS
Comment 11 2021-10-25 14:27:28 PDT
Committed r284821 (243513@main): <https://commits.webkit.org/243513@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 442403 [details].
Radar WebKit Bug Importer
Comment 12 2021-10-25 14:28:20 PDT
Note You need to log in before you can comment on or make changes to this bug.