Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enforce noopener on cross-top-level-site Blob URLs #10731

Merged
merged 10 commits into from
Nov 18, 2024
Merged

Conversation

recvfrom
Copy link
Contributor

@recvfrom recvfrom commented Oct 30, 2024

Enforce noopener on cross-top-level-site Blob URL navigations

This change causes noopener to be set for window.open, clicks
on 'a' / 'area' elements, and form submissions where the corresponding
Blob URL is cross-site to the top-level site of the context performing
the action. This corresponds to the discussion in
w3c/FileAPI#153.

(See WHATWG Working Mode: Changes for more details.)


/form-control-infrastructure.html ( diff )
/links.html ( diff )
/nav-history-apis.html ( diff )

This change causes noopener to be set for window.open, clicks
on 'a' / 'area' elements, and form submissions where the corresponding
Blob URL is cross-site to the top-level site of the context performing
the action. This corresponds to the discussion in
w3c/FileAPI#153.
source Outdated Show resolved Hide resolved
source Outdated Show resolved Hide resolved
source Show resolved Hide resolved
source Show resolved Hide resolved
source Outdated Show resolved Hide resolved
source Outdated Show resolved Hide resolved
source Outdated Show resolved Hide resolved
source Outdated Show resolved Hide resolved
source Outdated Show resolved Hide resolved
@annevk annevk added the security/privacy There are security or privacy implications label Nov 5, 2024
@annevk
Copy link
Member

annevk commented Nov 5, 2024

Also, this looks really good overall! And also seems like a great privacy improvement! Thanks for tackling it.

@recvfrom
Copy link
Contributor Author

recvfrom commented Nov 6, 2024

Also, this looks really good overall! And also seems like a great privacy improvement! Thanks for tackling it.

Thank you! :D

Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me modulo these final nits. I'd like to wait until next week so @domenic has a chance to skim this too as he's quite familiar with the window open steps as well.

source Outdated Show resolved Hide resolved
source Outdated Show resolved Hide resolved
source Outdated Show resolved Hide resolved
source Show resolved Hide resolved
source Show resolved Hide resolved
Copy link
Member

@annevk annevk left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice. Feel free to ping in two weeks or so if @domenic hasn't had a chance in which case I'll do one more final read and land this.

source Outdated Show resolved Hide resolved
source Show resolved Hide resolved
source Outdated Show resolved Hide resolved
@domenic domenic merged commit c0fbcc2 into whatwg:main Nov 18, 2024
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
security/privacy There are security or privacy implications
Development

Successfully merging this pull request may close these issues.

3 participants