Form navigations with target=_blank should not have an opener

https://bugs.webkit.org/show_bug.cgi?id=232243 Reviewed by Sam Weinig. LayoutTests/imported/w3c: Merge web-platform-tests/wpt#31368 from upstream WPT to fix outdated expectations in WPT tests. * web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html: * web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html: * web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html: * web-platform-tests/html/semantics/forms/form-submission-target/resources/reltester.js: (formUsesTargetBlank): (relTester): Source/WebCore: Form navigations with target=_blank should not have an opener (unless rel="opener" is specified on the <form>), similarly to link navigations. This is a bit better for security as Web developers may not realize that popups opened via target=_blank get an opener link by default and do things like post messages to their opener, or navigate it. Not having an opener relationship also enables us to process-swap in more cases for better site isolation. This behavior is behind the same experimental feature flag as the behavior for anchors with target=_blank since WebKit is the only engine implementing this at the moment (despite this behavior having been standardized). No new tests, updated existing tests. * html/HTMLFormElement.cpp: (WebCore::parseFormRelAttributes): (WebCore::HTMLFormElement::submit): Canonical link: https://commits.webkit.org/243513@main git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284821 268f45cc-cd09-0410-ab3c-d52691b4dbfc
WebKit · Oct 25, 2021 · 82c4eeb93f2e140bf710266110410c66e9bc817d · 82c4eeb
1 parent 88097ab
commit 82c4eeb93f2e140bf710266110410c66e9bc817d
Showing 11 changed files with 72 additions and 13 deletions.
diff --git a/LayoutTests/fast/events/popup-allowed-from-gesture-initiated-form-submit.html b/LayoutTests/fast/events/popup-allowed-from-gesture-initiated-form-submit.html
@@ -1,6 +1,6 @@
 <html> <!-- webkit-test-runner [ JavaScriptCanOpenWindowsAutomatically=false ] -->
     <body>
-        <form action="resources/popup-allowed-from-gesture-initiated-form-submit-target.html" method="post" target="_blank">
+        <form action="resources/popup-allowed-from-gesture-initiated-form-submit-target.html" method="post" target="_blank" rel="opener">
             <input id="button" type="submit" value="Click Here" />
         </form>
         <div id="console">FAIL</div>

diff --git a/LayoutTests/fast/forms/submit-to-blank-multiple-times.html b/LayoutTests/fast/forms/submit-to-blank-multiple-times.html
@@ -7,11 +7,11 @@
         <p>
             This test will click the first submit button twice, then press the space bar on the second submit button twice. Both should popup two blank windows.
         </p>
-        <form action="resources/submit-to-blank-multiple-times-form-action.html" target="_blank">
+        <form action="resources/submit-to-blank-multiple-times-form-action.html" target="_blank" rel="opener">
             <input name="nextOp" id="nextOp" type="hidden">
             <input name="submit" id="submit" type="submit">
         </form>
-        <form action="resources/submit-to-blank-multiple-times-form-action.html" target="_blank">
+        <form action="resources/submit-to-blank-multiple-times-form-action.html" target="_blank" rel="opener">
             <input name="nextOp" id="nextOpKey" type="hidden">
             <input name="submit" id="submitKey" type="submit">
         </form>

diff --git a/LayoutTests/http/tests/cookies/same-site/popup-cross-site-post.html b/LayoutTests/http/tests/cookies/same-site/popup-cross-site-post.html
@@ -27,7 +27,8 @@
         var f = document.createElement('form');
         f.action = "http://127.0.0.1:8000/cookies/resources/post-cookies-to-opener.py";
         f.method = "POST";
-        f.target = "_blank"
+        f.target = "_blank";
+        f.rel = "opener";
         window.onload = t.step_func(f.submit.bind(f));
         document.body.appendChild(f);
     }, "'127.0.0.1' is not same-site with 'localhost', so samesite cookies are not sent via POST.");

diff --git a/LayoutTests/http/tests/cookies/same-site/popup-same-site-post.html b/LayoutTests/http/tests/cookies/same-site/popup-same-site-post.html
@@ -26,6 +26,7 @@
     f.action = "http://127.0.0.1:8000/cookies/resources/post-cookies-to-opener.py";
     f.method = "POST";
     f.target = "_blank";
+    f.rel = "opener";
     window.onload = t.step_func(f.submit.bind(f));
     document.body.appendChild(f);
 }, "'127.0.0.1' is same-site with itself, so samesite cookies are sent via POST.");

diff --git a/LayoutTests/imported/w3c/ChangeLog b/LayoutTests/imported/w3c/ChangeLog
@@ -1,3 +1,20 @@
+2021-10-25  Chris Dumez  <cdumez@apple.com>
+
+        Form navigations with target=_blank should not have an opener
+        https://bugs.webkit.org/show_bug.cgi?id=232243
+
+        Reviewed by Sam Weinig.
+
+        Merge https://github.com/web-platform-tests/wpt/pull/31368 from upstream WPT to fix outdated expectations in
+        WPT tests.
+
+        * web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html:
+        * web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html:
+        * web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html:
+        * web-platform-tests/html/semantics/forms/form-submission-target/resources/reltester.js:
+        (formUsesTargetBlank):
+        (relTester):
+
 2021-10-25  Chris Dumez  <cdumez@apple.com>
 
         imported/w3c/web-platform-tests/html/semantics/forms/form-submission-0/form-submission-algorithm.html is timing out

diff --git a/...form-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html b/...form-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html
@@ -10,7 +10,8 @@
 <body>
   <form action='/content-security-policy/support/postmessage-pass-to-opener.html'
         id='form_id'
-        target="_blank">
+        target="_blank"
+        rel="opener">
   </form>
 
   <p>

diff --git a/...m-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html b/...m-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html
@@ -25,10 +25,9 @@
   </script>
 </head>
 <body onload="OnDocumentLoaded();">
-  <form id="form" method="GET" target="_blank">
+  <form id="form" method="GET" target="_blank" rel="opener">
     <input type="hidden" name="message" value="DocumentNotBlocked">
     <input type="submit" id="submit">
   </form>
 </body>
 </html>
-
diff --git a/...ontent-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html b/...ontent-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html
@@ -26,9 +26,8 @@
   </script>
 </head>
 <body onload="OnDocumentLoaded();">
-  <form id="form" method="POST" target="_blank">
+  <form id="form" method="POST" target="_blank" rel="opener">
     <input type="submit" id="submit">
   </form>
 </body>
 </html>
-
diff --git a/...w3c/web-platform-tests/html/semantics/forms/form-submission-target/resources/reltester.js b/...w3c/web-platform-tests/html/semantics/forms/form-submission-target/resources/reltester.js
@@ -1,3 +1,19 @@
+function formUsesTargetBlank(submitter) {
+  if (submitter.formTarget && submitter.formTarget === "_blank") {
+    return true;
+  }
+  if (submitter.form && submitter.form.target === "_blank") {
+    return true;
+  }
+  if (submitter.target && submitter.target === "_blank") {
+    return true;
+  }
+  if (submitter.getRootNode().querySelector("base").target === "_blank") {
+    return true;
+  }
+  return false;
+}
+
 function relTester(submitter, channelInput, title) {
   [
     {
@@ -51,7 +67,8 @@ function relTester(submitter, channelInput, title) {
           } else {
             assert_equals(e.data.referrer, "", "referrer");
           }
-          if (relTest.exposed === "all") {
+          // When rel is not explicitly given, account for target=_blank defaulting to noopener
+          if (relTest.exposed === "all" && !(relTest.rel === "" && formUsesTargetBlank(submitter))) {
             assert_true(e.data.haveOpener, "opener");
           } else {
             assert_false(e.data.haveOpener, "opener");

diff --git a/Source/WebCore/ChangeLog b/Source/WebCore/ChangeLog
@@ -1,3 +1,26 @@
+2021-10-25  Chris Dumez  <cdumez@apple.com>
+
+        Form navigations with target=_blank should not have an opener
+        https://bugs.webkit.org/show_bug.cgi?id=232243
+
+        Reviewed by Sam Weinig.
+
+        Form navigations with target=_blank should not have an opener (unless rel="opener" is specified
+        on the <form>), similarly to link navigations. This is a bit better for security as Web developers
+        may not realize that popups opened via target=_blank get an opener link by default and do things
+        like post messages to their opener, or navigate it. Not having an opener relationship also enables
+        us to process-swap in more cases for better site isolation.
+
+        This behavior is behind the same experimental feature flag as the behavior for anchors with target=_blank
+        since WebKit is the only engine implementing this at the moment (despite this behavior having been
+        standardized).
+
+        No new tests, updated existing tests.
+
+        * html/HTMLFormElement.cpp:
+        (WebCore::parseFormRelAttributes):
+        (WebCore::HTMLFormElement::submit):
+
 2021-10-25  Alex Christensen  <achristensen@webkit.org>
 
         WebKit ought to be able to play videos without Content-Length HTTP header fields and without range support

diff --git a/Source/WebCore/html/HTMLFormElement.cpp b/Source/WebCore/html/HTMLFormElement.cpp
@@ -73,6 +73,7 @@ using namespace HTMLNames;
 struct FormRelAttributes {
     bool noopener { false };
     bool noreferrer { false };
+    bool opener { false };
 };
 
 static FormRelAttributes parseFormRelAttributes(StringView string)
@@ -83,6 +84,8 @@ static FormRelAttributes parseFormRelAttributes(StringView string)
             attributes.noopener = true;
         else if (equalIgnoringASCIICase(token, "noreferrer"))
             attributes.noreferrer = true;
+        else if (equalIgnoringASCIICase(token, "opener"))
+            attributes.opener = true;
     }
     return attributes;
 }
@@ -425,9 +428,7 @@ void HTMLFormElement::submit(Event* event, bool activateSubmitButton, bool proce
         return;
 
     auto relAttributes = parseFormRelAttributes(getAttribute(HTMLNames::relAttr));
-    // FIXME: According to the specification, having `target=blank` without `rel="opener"` should suppress the opener.
-    // However, this is not currently implemented as it is causing some WPT tests to fail (https://github.com/whatwg/html/issues/7256).
-    if (relAttributes.noopener || relAttributes.noreferrer)
+    if (relAttributes.noopener || relAttributes.noreferrer || (!relAttributes.opener && document().settings().blankAnchorTargetImpliesNoOpenerEnabled() && equalIgnoringASCIICase(formSubmission->target(), "_blank")))
         formSubmission->setNewFrameOpenerPolicy(NewFrameOpenerPolicy::Suppress);
     if (relAttributes.noreferrer)
         formSubmission->setReferrerPolicy(ReferrerPolicy::NoReferrer);