Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

target="_blank" vulnerability #3668

Closed
anandgraves opened this issue Sep 2, 2016 · 13 comments
Closed

target="_blank" vulnerability #3668

anandgraves opened this issue Sep 2, 2016 · 13 comments

Comments

@anandgraves
Copy link

Did you search for similar issues before submitting this one?
Yes

Describe the issue you encountered:
A popup window or other tab can modify the location of it's window.opener even when the two windows have different domains.

See for more information:

Expected behavior:
A popup window or tab shouldn't be able to modify the location of it's window.opener.

@bbondy bbondy added this to the 0.12.1dev milestone Sep 4, 2016
@bbondy
Copy link
Member

bbondy commented Sep 4, 2016

/cc @bridiver

@bridiver
Copy link
Collaborator

bridiver commented Sep 4, 2016

this affects Chrome, FF, Safari and probably all other browsers. I need to do a little research, but "fixing" this may actually violate web standards

@bridiver
Copy link
Collaborator

bridiver commented Sep 4, 2016

are there any legitimate uses for this? Maybe we should have a permission dialog for it?

@bsclifton
Copy link
Member

@bridiver +1 on your proposal for a dialog. There are valid uses and it might be good to also be able to remember the choice (yes/no) for the domain.

One use-case I know of offhand was present in a ticketing system called ServiceDesk. It would pop up a new window where you'd search for an employee or similar and then hit enter or click OK. When you do, it manipulates the DOM on opener to set the value of an input box and the pop up then closes itself

@bridiver
Copy link
Collaborator

bridiver commented Sep 4, 2016

@bsclifton are they in different domains? There are certainly legitimate same-domain uses, but cross-domain seems a little more sketchy

@bsclifton
Copy link
Member

no- same domain 😄

@diracdeltas
Copy link
Member

diracdeltas commented Sep 7, 2016

This definitely is a major security issue for the cross-domain case, so I'm surprised it hasn't been addressed in the major browsers. IMO we should block cross-domain entirely and deal with breakage via a notification prompt only if it causes known issues. FWIW I have never observed a site doing this cross-domain.

@bridiver
Copy link
Collaborator

bridiver commented Sep 7, 2016

cross-domain write access to window.location is specifically allowed in the spec. I'm concerned that blocking by default could break legitimate sites and I think a permission dialog would be a better solution.

@bridiver
Copy link
Collaborator

bridiver commented Sep 7, 2016

I think the dialog should come up for same domain as well

@bsclifton
Copy link
Member

I think we could offer two options (default choice TBD):

  • Block access to window.opener completely
  • Prompt for any attempts at window.opener, remember decision

Blocking most would protect most people. If that was the default, people with specific sites with valid use-cases (like my ServiceDesk example, or maybe their intranet, since it's trusted) will be affected and they'd have to know to disable it.

This might be a good time to put some thought into grouping all of the options we'll eventually have. Just a quick proposal - maybe we can offer a global "security level" you choose from? defaulted to what is effective for most folks

  • don't enable FP
  • show dialog for this window.opener
  • don't have scripts blocked
  • have HTTPS everywhere enabled
  • ad/tracking protection enabled

And then you can scale up to the "I'm off the grid" option that enables all of the protections (or auto-dismissals for cases like this).

@bbondy bbondy removed this from the 0.12.1dev milestone Sep 9, 2016
@luixxiul
Copy link
Contributor

luixxiul commented Aug 20, 2017

I guess the issue should be fixed with #10290 and #10424.

ref https://mathiasbynens.github.io/rel-noopener/

@luixxiul
Copy link
Contributor

luixxiul commented Nov 7, 2017

Closing as fixed with #10290 and #10424. They'll be available since 0.20.x.

@luixxiul luixxiul closed this as completed Nov 7, 2017
@luixxiul luixxiul added this to the 0.20.x (Beta Channel) milestone Nov 7, 2017
@luixxiul
Copy link
Contributor

luixxiul commented Nov 7, 2017

no-qa-needed for this issue as QA is going to be done for #10290 and #10424.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests

6 participants