New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should we restrict certain iframe-initiated popups from satisfying the popup heuristic? #3

Open

amaliev opened this issue Dec 8, 2023 · 0 comments

Owner

amaliev commented Dec 8, 2023

More details in the explainer, under "Initiating frame for popup heuristic"

We opted to allow popup heuristics for all popups with opener access, as documented in the explainer and spec.

This matches the behavior on Firefox and Safari
This fixes certain observed breakages, e.g. the Facebook comments widget

However, we might want to include one or both of the following restrictions to avoid privacy and security pitfalls:

Disallow a third-party popup opened from a same-site third-party iframe from the popup heuristic.
Disallow a third-party popup opened from a different third-party iframe from the popup heuristic.

We need to experiment more, and collaborate with other browsers, to ensure these changes don't result in more breakages.

amaliev mentioned this issue

Add Third-Party Cookie Deprecation Heuristics to Web Compat whatwg/compat#253

Draft

5 tasks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment