From 6d2bd6bc2499cd3b81936298d8b85b1d2f14759e Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Fri, 30 Sep 2016 14:18:02 +0200
Subject: [PATCH 1/2] Ensure that 'noopener' does not reuse a browsing context

WIP: All of this would benefit from more substantial refactoring, but
let's decide that this is the right way to approach things first.

whatwg/html#1826
---
 source | 96 ++++++++++++++++++++++++++++++++--------------------------
 1 file changed, 53 insertions(+), 43 deletions(-)

diff --git a/source b/source
index 2ee932b4039..f6141bc7e10 100644
--- a/source
+++ b/source
@@ -18558,8 +18558,8 @@ interface <dfn>HTMLAnchorElement</dfn> : <span>HTMLElement</span> {
     <span>triggered by user activation</span>; or, if the user has not indicated a specific
     <span>browsing context</span> for following the link, and the element's <code
     data-x="attr-hyperlink-target">target</code> attribute is present, and applying <span>the rules
-    for choosing a browsing context given a browsing context name</span>, using the value of the
-    <code data-x="attr-hyperlink-target">target</code> attribute as the browsing context name, would
+    for choosing a browsing context</span>, using the value of the <code
+    data-x="attr-hyperlink-target">target</code> attribute as the browsing context name, would
     result in there not being a chosen browsing context, then run these substeps:</p>
 
     <ol>
@@ -22142,20 +22142,27 @@ interface <dfn>HTMLHyperlinkElementUtils</dfn> {
     <span>one permitted sandboxed navigator</span>.</p>
 
     <p>Otherwise, if <var>subject</var> is an <code>a</code> or <code>area</code> element
-    that has a <code data-x="attr-hyperlink-target">target</code> attribute, then let <var>target</var> be the <span>browsing context</span> that is chosen by applying <span>the
-    rules for choosing a browsing context given a browsing context name</span>, using the value of
-    the <code data-x="attr-hyperlink-target">target</code> attribute as the browsing context name. If
-    these rules result in the creation of a new <span>browsing context</span>, set <var>replace</var> to true.</p>
+    that has a <code data-x="attr-hyperlink-target">target</code> attribute, then let
+    <var>target</var> be the <span>browsing context</span> that is chosen by applying <span>the
+    rules for choosing a browsing context</span>, using the value of the <code
+    data-x="attr-hyperlink-target">target</code> attribute as the browsing context name, and
+    a disown opener flag of true if the element has a <code data-x="attr-hyperlink-rel">rel</code>
+    attribute whose value is "<code data-x="">noopener</code>" or "<code
+    data-x="">noreferrer</code>", and false otherwise. If these rules result in the creation of a
+    new <span>browsing context</span>, set <var>replace</var> to true.</p>
 
     <p>Otherwise, if <var>target</var> is an <code>a</code> or <code>area</code> element
     with no <code data-x="attr-hyperlink-target">target</code> attribute, but the
     <code>Document</code> contains a <code>base</code> element with a <code
     data-x="attr-base-target">target</code> attribute, then let <var>target</var> be the
     <span>browsing context</span> that is chosen by applying <span>the rules for choosing a browsing
-    context given a browsing context name</span>, using the value of the <code
-    data-x="attr-base-target">target</code> attribute of the first such <code>base</code> element as
-    the browsing context name. If these rules result in the creation of a new <span>browsing
-    context</span>, set <var>replace</var> to true.</p> <!-- c.f. concept-fs-target -->
+    context</span>, using the value of the <code data-x="attr-base-target">target</code> attribute
+    of the first such <code>base</code> element as the browsing context name, and a disown opener
+    flag of true if the element has a <code data-x="attr-hyperlink-rel">rel</code>
+    attribute whose value is "<code data-x="">noopener</code>" or "<code
+    data-x="">noreferrer</code>", and false otherwise. If these rules result in the creation of a
+    new <span>browsing context</span>, set <var>replace</var> to true.</p>
+    <!-- c.f. concept-fs-target -->
 
     <p>Otherwise, let <var>target</var> be <var>source</var>.</p>
 
@@ -37402,10 +37409,9 @@ interface <dfn>HTMLAreaElement</dfn> : <span>HTMLElement</span> {
     attribute and the algorithm is not <span>triggered by user activation</span>; or, if the user
     has not indicated a specific <span>browsing context</span> for following the link, and the
     element's <code data-x="attr-hyperlink-target">target</code> attribute is present, and applying
-    <span>the rules for choosing a browsing context given a browsing context name</span>, using the
-    value of the <code data-x="attr-hyperlink-target">target</code> attribute as the browsing
-    context name, would result in there not being a chosen browsing context, then run these
-    substeps:</p>
+    <span>the rules for choosing a browsing context</span>, using the value of the <code
+    data-x="attr-hyperlink-target">target</code> attribute as the browsing context name, would
+    result in there not being a chosen browsing context, then run these substeps:</p>
 
     <ol>
 
@@ -54677,10 +54683,10 @@ fur
 
    <li><p>If the user indicated a specific <span>browsing context</span> to use when submitting the
    form, then let <var>target browsing context</var> be that <span>browsing context</span>.
-   Otherwise, apply <span>the rules for choosing a browsing context given a browsing context
-   name</span> using <var>target</var> as the name and <var>form browsing
-   context</var> as the context in which the algorithm is executed, and let <var>target
-   browsing context</var> be the resulting <span>browsing context</span>.</p></li>
+   Otherwise, apply <span>the rules for choosing a browsing context</span> using <var>target</var>
+   as the name and <var>form browsing context</var> as the context in which the algorithm is
+   executed, and let <var>target browsing context</var> be the resulting <span>browsing
+   context</span>.</p></li>
 
    <li><p>If <var>target browsing context</var> was created in the previous step, or,
    alternatively, if the <var>form document</var> has not yet <span>completely
@@ -77877,15 +77883,16 @@ console.assert(iframeWindow.frameElement === null);
 
   <p class="tablenote"><small>Most of the restrictions on sandboxed browsing contexts are applied by
   other algorithms, e.g. the <span data-x="navigate">navigation</span> algorithm, not <span>the rules
-  for choosing a browsing context given a browsing context name</span> given below.</small></p>
+  for choosing a browsing context</span> given below.</small></p>
 
   <div w-nodev>
 
   <hr>
 
-  <p><dfn>The rules for choosing a browsing context given a browsing context name</dfn> are as
-  follows. The rules assume that they are being applied in the context of a <span>browsing
-  context</span>, as part of the execution of a <span data-x="concept-task">task</span>.</p>
+  <p><dfn>The rules for choosing a browsing context</dfn> given a browsing context name and disown
+  opener flag are as follows. The rules assume that they are being applied in the context of a
+  <span>browsing context</span>, as part of the execution of a <span
+  data-x="concept-task">task</span>.</p>
 
   <ol>
 
@@ -77911,10 +77918,10 @@ console.assert(iframeWindow.frameElement === null);
     browsing context whose <span data-x="browsing context name">name</span> is the same as the given
     browsing context name, and the current browsing context is <span>familiar with</span> that
     browsing context, and the user agent determines that the two browsing contexts are related
-    enough that it is ok if they reach each other, then that browsing context must be the chosen
-    one. If there are multiple matching browsing contexts, the user agent should select one in some
-    arbitrary consistent manner, such as the most recently opened, most recently focused, or more
-    closely related.</p>
+    enough that it is ok if they reach each other, and the disown opener flag is false, then that
+    browsing context must be the chosen one. If there are multiple matching browsing contexts, the
+    user agent should select one in some arbitrary consistent manner, such as the most recently
+    opened, most recently focused, or more closely related.</p>
 
    </li>
 
@@ -77962,11 +77969,11 @@ console.assert(iframeWindow.frameElement === null);
      create a new browsing context:</dt>
 
      <dd>
-      <p>A new <span>auxiliary browsing context</span> must be created, with the <span>opener
-      browsing context</span> being the current one. If the given browsing context name is not
-      <code data-x="">_blank</code>, then the new auxiliary browsing context's name must be the
-      given browsing context name (otherwise, it has no name). The chosen browsing context must be
-      this new browsing context.</p>
+      <p>A new <span>top-level browsing context</span> must be created. Its <span>opener
+      browsing context</span> is the current one if the disown opener flag is false, and empty
+      otherwise. If the given browsing context name is not <code data-x="">_blank</code>, then the
+      new browsing context's name must be the given browsing context name (otherwise, it has no
+      name). The chosen browsing context must be this new browsing context.</p>
 
       <p class="note">If the newly created <span>browsing context</span> is immediately <span
       data-x="navigate">navigated</span>, then the navigation will be done with <span>replacement
@@ -78647,6 +78654,10 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
    <li><p>If <var>target</var> is the empty string, let it be the string "<code
    data-x="">_blank</code>" instead.</p></li>
 
+   <li><p>Let <var>disown opener</var> be true if the result of <span data-x="split a string on
+   commas">splitting <var>features</var> on commas</span> contains the token "<code
+   data-x="">noopener</code>"
+
    <li>
 
     <p>If the user has indicated a preference for which <span>browsing context</span> to navigate,
@@ -78670,18 +78681,18 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
     holds the control key down, the user agent could override the selection of the target browsing
     context to instead target a new tab.</p>
 
-    <p>Otherwise, apply <span>the rules for choosing a browsing context given a browsing context
-    name</span> using <var>target</var> as the name and <var>source browsing context</var> as the
-    context in which the algorithm is executed. If this results in there not being a chosen browsing
-    context, then return null. Otherwise, let <var>target browsing context</var> be the
+    <p>Otherwise, apply <span>the rules for choosing a browsing context</span> using
+    <var>target</var> as the name, <var>disown opener</var>, and <var>source browsing context</var>
+    as the context in which the algorithm is executed. If this results in there not being a chosen
+    browsing context, then return null. Otherwise, let <var>target browsing context</var> be the
     <span>browsing context</span> so obtained.</p>
 
    </li>
 
    <li><p>If <var>target browsing context</var> was just created, either as part of <span>the rules
-   for choosing a browsing context given a browsing context name</span> or due to the user
-   indicating a preference for navigating a new <span>top-level browsing context</span>, then let
-   <var>new</var> be true. Otherwise, let it be false.</p></li>
+   for choosing a browsing context</span> or due to the user indicating a preference for navigating
+   a new <span>top-level browsing context</span>, then let <var>new</var> be true. Otherwise, let it
+   be false.</p></li>
 
    <li><p>Interpret <var>features</var> <span data-x="dom-open-features">as defined in the CSSOM
    View specification</span>. <ref spec="CSSOMVIEW"></p></li>
@@ -78741,10 +78752,9 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
 
     <ol>
 
-     <li><p>If the result of <span data-x="split a string on commas">splitting <var>features</var>
-     on commas</span> contains the token "<code data-x="">noopener</code>", then <span
-     data-x="disowned its opener">disown <var>target browsing context</var>'s opener</span> and
-     return null.</p></li>
+     <li><p>If <var>disown opener</var> is true, <span data-x="disowned its opener">disown
+     <var>target browsing context</var>'s opener</span>, and return <code
+     data-x="">null</code>.</p></li>
 
      <li><p>Otherwise, return the <code>WindowProxy</code> object of <var>target browsing
      context</var>.</p></li>
@@ -80216,7 +80226,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
   <p>Every <span>top-level browsing context</span> has a <dfn>popup sandboxing flag set</dfn>, which
   is a <span>sandboxing flag set</span>. When a <span>browsing context</span> is created, its
   <span>popup sandboxing flag set</span> must be empty. It is populated by <span>the rules for
-  choosing a browsing context given a browsing context name</span>.</p>
+  choosing a browsing context</span>.</p>
 
   <p>Every <span>browsing context</span> that is a <span>nested browsing context</span> has an
   <dfn><code>iframe</code> sandboxing flag set</dfn>, which is a <span>sandboxing flag set</span>.

From bc7dff9dcde31bf48d2be41ed323cec4e2668f80 Mon Sep 17 00:00:00 2001
From: Mike West <mkwst@google.com>
Date: Wed, 5 Oct 2016 10:30:35 +0200
Subject: [PATCH 2/2] fixup @bzbarsky

---
 source | 34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

diff --git a/source b/source
index f6141bc7e10..01f5d3e80fd 100644
--- a/source
+++ b/source
@@ -18559,8 +18559,11 @@ interface <dfn>HTMLAnchorElement</dfn> : <span>HTMLElement</span> {
     <span>browsing context</span> for following the link, and the element's <code
     data-x="attr-hyperlink-target">target</code> attribute is present, and applying <span>the rules
     for choosing a browsing context</span>, using the value of the <code
-    data-x="attr-hyperlink-target">target</code> attribute as the browsing context name, would
-    result in there not being a chosen browsing context, then run these substeps:</p>
+    data-x="attr-hyperlink-target">target</code> attribute as the browsing context name, and a
+    disown opener flag of true if the element has a <code data-x="attr-hyperlink-rel">rel</code>
+    attribute whose value is "<code data-x="">noopener</code>" or "<code
+    data-x="">noreferrer</code>", and false otherwise would result in there not being a chosen
+    browsing context, then run these substeps:</p>
 
     <ol>
 
@@ -37410,8 +37413,11 @@ interface <dfn>HTMLAreaElement</dfn> : <span>HTMLElement</span> {
     has not indicated a specific <span>browsing context</span> for following the link, and the
     element's <code data-x="attr-hyperlink-target">target</code> attribute is present, and applying
     <span>the rules for choosing a browsing context</span>, using the value of the <code
-    data-x="attr-hyperlink-target">target</code> attribute as the browsing context name, would
-    result in there not being a chosen browsing context, then run these substeps:</p>
+    data-x="attr-hyperlink-target">target</code> attribute as the browsing context name, and a
+    disown opener flag of true if the element has a <code data-x="attr-hyperlink-rel">rel</code>
+    attribute whose value is "<code data-x="">noopener</code>" or "<code
+    data-x="">noreferrer</code>", and false otherwise would result in there not being a chosen
+    browsing context, then run these substeps:</p>
 
     <ol>
 
@@ -54684,9 +54690,9 @@ fur
    <li><p>If the user indicated a specific <span>browsing context</span> to use when submitting the
    form, then let <var>target browsing context</var> be that <span>browsing context</span>.
    Otherwise, apply <span>the rules for choosing a browsing context</span> using <var>target</var>
-   as the name and <var>form browsing context</var> as the context in which the algorithm is
-   executed, and let <var>target browsing context</var> be the resulting <span>browsing
-   context</span>.</p></li>
+   as the name, false as the disown opener flag, and <var>form browsing context</var> as the context
+   in which the algorithm is executed, and let <var>target browsing context</var> be the resulting
+   <span>browsing context</span>.</p></li>
 
    <li><p>If <var>target browsing context</var> was created in the previous step, or,
    alternatively, if the <var>form document</var> has not yet <span>completely
@@ -77969,11 +77975,12 @@ console.assert(iframeWindow.frameElement === null);
      create a new browsing context:</dt>
 
      <dd>
-      <p>A new <span>top-level browsing context</span> must be created. Its <span>opener
-      browsing context</span> is the current one if the disown opener flag is false, and empty
-      otherwise. If the given browsing context name is not <code data-x="">_blank</code>, then the
-      new browsing context's name must be the given browsing context name (otherwise, it has no
-      name). The chosen browsing context must be this new browsing context.</p>
+      <p>A new <span>top-level browsing context</span> must be created. It will not have an
+      <span>opener browsing context</span> if the disown opener flag is true, otherwise its
+      <span>opener browsing context</span> is the current one. If the given browsing context name is
+      not <code data-x="">_blank</code>, then the new browsing context's name must be the given
+      browsing context name (otherwise, it has no name). The chosen browsing context must be this
+      new browsing context.</p>
 
       <p class="note">If the newly created <span>browsing context</span> is immediately <span
       data-x="navigate">navigated</span>, then the navigation will be done with <span>replacement
@@ -78752,8 +78759,7 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
 
     <ol>
 
-     <li><p>If <var>disown opener</var> is true, <span data-x="disowned its opener">disown
-     <var>target browsing context</var>'s opener</span>, and return <code
+     <li><p>If <var>disown opener</var> is true, and <var>new</var> is true, then return <code
      data-x="">null</code>.</p></li>
 
      <li><p>Otherwise, return the <code>WindowProxy</code> object of <var>target browsing