282387 – Consider using top-level site instead of origin when enforcing noopener on certain Blob URLs

NEW 282387

Consider using top-level site instead of origin when enforcing noopener on certain Blob URLs

https://bugs.webkit.org/show_bug.cgi?id=282387

Summary Consider using top-level site instead of origin when enforcing noopener on ce...

Andrew Williams

Reported 2024-10-31 06:44:11 PDT

WebKit currently enforces noopener on Blob URL navigations when the Blob URL origin is cross-origin from the document top-level origin. Per the discussions in https://github.com/w3c/FileAPI/issues/153, we are in the process of updating the HTML spec to specify this behavior except using sites instead of origins (see: https://github.com/whatwg/html/pull/10731). https://github.com/w3c/FileAPI/issues/153#issuecomment-2332086739 indicates that WebKit might be open to using site instead of origin for this as well. Opening this bug for tracking.

Attachments
Add attachment proposed patch, testcase, etc.

Radar WebKit Bug Importer

Comment 1 2024-11-07 05:45:17 PST

Note You need to log in before you can comment on or make changes to this bug.

Status NEW

Resolution

Priority P2

Severity Normal

Classification Unclassified

Version WebKit Nightly Build

Hardware Unspecified

OS Unspecified

Product WebKit

Component Page Loading

Assignee

Nobody

Reported

2024-10-31 06:44 PDT

Modified

2024-11-17 19:12 PST History

CC List

7 users Show

URL

Keywords InRadar

Depends on

Blocks