Skip to content

Commit

Permalink
Enforce noopener on cross-top-level-site Blob URL navigations
Browse files Browse the repository at this point in the history
This change causes noopener to be set for window.open, clicks
on 'a' / 'area' elements, and form submissions where the corresponding
Blob URL is cross-site to the top-level site of the context performing
the action. This corresponds to the discussion in
w3c/FileAPI#153.
  • Loading branch information
recvfrom committed Oct 30, 2024
1 parent fe70744 commit baf81f8
Showing 1 changed file with 77 additions and 14 deletions.
91 changes: 77 additions & 14 deletions source
Original file line number Diff line number Diff line change
Expand Up @@ -25532,7 +25532,8 @@ document.body.appendChild(wbr);</code></pre>
web content.</p>

<p>To <dfn>get an element's noopener</dfn>, given an <code>a</code>, <code>area</code>, or
<code>form</code> element <var>element</var> and a string <var>target</var>:</p>
<code>form</code> element <var>element</var>, a string <var>url</var>, and a string
<var>target</var>, perform the following steps. They return a boolean.

<ol>
<li><p>If <var>element</var>'s <a href="#linkTypes">link types</a> include the <code
Expand All @@ -25544,6 +25545,27 @@ document.body.appendChild(wbr);</code></pre>
<span>ASCII case-insensitive</span> match for "<code data-x="">_blank</code>", then return
true.</p></li>

<li><p>Let <var>maybeURL</var> be the result of <span>encoding-parsing a URL</span> given
<var>url</var>.</p></li>

<li><p>If <var>maybeURL</var> is not failure and <var>maybeURL</var>'s
<span data-x="concept-url-scheme">scheme</span> is "<code data-x="">blob</code>", run these
steps:</p>

<ol>
<li><p>Let <var>blobOrigin</var> be <var>maybeURL</var>'s
<span data-x="concept-url-blob-entry">blob URL entry</span>'s
<span>environment settings object</span>'s <span>origin</span>.</p></li>

<li><p>Let <var>topLevelOrigin</var> be <var>element</var>'s <span>node navigable</span>'s
<span data-x="nav-document">active document</span>'s <span>relevant settings object</span>'s
<span>top-level origin</span>.</p></li>

<li><p>If <var>blobOrigin</var>is not <span>same site</span> with <var>topLevelOrigin</var>,
then return true.</p></li>
</ol>
</li>

<li><p>Return false.</p></li>
</ol>

Expand Down Expand Up @@ -89707,23 +89729,36 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri

<div w-nodev>

<p>The <dfn>window open steps</dfn>, given a string <var>url</var>, a string <var>target</var>,
and a string <var>features</var>, are as follows:</p>
<p>To <dfn>get noopener for window open</dfn>, given a string <var>url</var>, a
<span>Document</span> <var>sourceDocument</var>, an <span>ordered map</span>
<var>tokenizedFeatures</var>, and a boolean <var>noreferrer</var>, perform the following steps.
They return a boolean.</p>

<ol>
<li><p>If the <span>event loop</span>'s <span>termination nesting level</span> is nonzero,
return null.</p></li>
<li><p>If <var>noreferrer</var> is true, return true.</p></li>

<li><p>Let <var>sourceDocument</var> be the <span>entry global object</span>'s <span
data-x="concept-document-window">associated <code>Document</code></span>.</p></li>
<li><p>Let <var>maybeURL</var> be the result of <span>encoding-parsing a URL</span> given
<var>url</var>.</p></li>

<li><p>If <var>target</var> is the empty string, then set <var>target</var> to "<code
data-x="">_blank</code>".</p></li>
<li><p>If <var>maybeURL</var> is not failure and <var>maybeURL</var>'s
<span data-x="concept-url-scheme">scheme</span> is "<code data-x="">blob</code>", run these
steps:</p>

<li><p>Let <var>tokenizedFeatures</var> be the result of <span
data-x="concept-window-open-features-tokenize">tokenizing</span> <var>features</var>.</p></li>
<ol>
<li><p>Let <var>blobOrigin</var> be <var>maybeURL</var>'s
<span data-x="concept-url-blob-entry">blob URL entry</span>'s
<span>environment settings object</span>'s <span>origin</span>.

<li><p>Let <var>topLevelOrigin</var> be <var>sourceDocument</var>'s <span>node navigable</span>'s
<span data-x="nav-document">active document</span>'s <span>relevant settings object</span>'s
<span>top-level origin</span>.</p></li>

<li><p>If <var>blobOrigin</var>is not <span>same site</span> with <var>topLevelOrigin</var>,
then return true.</p></li>
</ol>
</li>

<li><p>Let <var>noopener</var> and <var>noreferrer</var> be false.</p></li>
<li><p>Let <var>noopener</var> be false.</p></li>

<li>
<p>If <var>tokenizedFeatures</var>["<code data-x="">noopener</code>"] <span data-x="map
Expand All @@ -89740,6 +89775,29 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
</ol>
</li>

<li><p>Return <var>noopener</var>.</p></li>
</ol>

<div w-nodev>

<p>The <dfn>window open steps</dfn>, given a string <var>url</var>, a string <var>target</var>,
and a string <var>features</var>, are as follows:</p>

<ol>
<li><p>If the <span>event loop</span>'s <span>termination nesting level</span> is nonzero,
return null.</p></li>

<li><p>Let <var>sourceDocument</var> be the <span>entry global object</span>'s <span
data-x="concept-document-window">associated <code>Document</code></span>.</p></li>

<li><p>If <var>target</var> is the empty string, then set <var>target</var> to "<code
data-x="">_blank</code>".</p></li>

<li><p>Let <var>tokenizedFeatures</var> be the result of <span
data-x="concept-window-open-features-tokenize">tokenizing</span> <var>features</var>.</p></li>

<li><p>Let <var>noreferrer</var> be false.</p></li>

<li>
<p>If <var>tokenizedFeatures</var>["<code data-x="">noreferrer</code>"] <span data-x="map
exists">exists</span>, then:</p>
Expand All @@ -89755,10 +89813,15 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
</ol>
</li>

<li><p>Let <var>noopener</var> be the result of
<span data-x="get noopener for window open">getting noopener for window open</span> with
<var>url</var>, <var>sourceDocument</var>, <var>tokenizedFeatures</var>, and
<var>noreferrer</var>.</p></li>

<li><p>Let <var>referrerPolicy</var> be the empty string.</p></li>

<li><p>If <var>noreferrer</var> is true, then set <var>noopener</var> to true and set
<var>referrerPolicy</var> to "<code data-x="">no-referrer</code>".</p></li>
<li><p>If <var>noreferrer</var> is true, then set <var>referrerPolicy</var> to
"<code data-x="">no-referrer</code>".</p></li>

<li>
<p>Let <var>targetNavigable</var> and <var>windowType</var> be the result of applying <span>the
Expand Down

0 comments on commit baf81f8

Please sign in to comment.