-
Notifications
You must be signed in to change notification settings - Fork 2.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Enforce noopener on cross-top-level-site Blob URLs #10731
Conversation
This change causes noopener to be set for window.open, clicks on 'a' / 'area' elements, and form submissions where the corresponding Blob URL is cross-site to the top-level site of the context performing the action. This corresponds to the discussion in w3c/FileAPI#153.
Also, this looks really good overall! And also seems like a great privacy improvement! Thanks for tackling it. |
Thank you! :D |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me modulo these final nits. I'd like to wait until next week so @domenic has a chance to skim this too as he's quite familiar with the window open steps as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very nice. Feel free to ping in two weeks or so if @domenic hasn't had a chance in which case I'll do one more final read and land this.
Enforce noopener on cross-top-level-site Blob URL navigations
This change causes noopener to be set for window.open, clicks
on 'a' / 'area' elements, and form submissions where the corresponding
Blob URL is cross-site to the top-level site of the context performing
the action. This corresponds to the discussion in
w3c/FileAPI#153.
(See WHATWG Working Mode: Changes for more details.)
/form-control-infrastructure.html ( diff )
/links.html ( diff )
/nav-history-apis.html ( diff )