Skip to content
Permalink
Browse files
Form navigations with target=_blank should not have an opener
https://bugs.webkit.org/show_bug.cgi?id=232243

Reviewed by Sam Weinig.

LayoutTests/imported/w3c:

Merge web-platform-tests/wpt#31368 from upstream WPT to fix outdated expectations in
WPT tests.

* web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html:
* web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html:
* web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html:
* web-platform-tests/html/semantics/forms/form-submission-target/resources/reltester.js:
(formUsesTargetBlank):
(relTester):

Source/WebCore:

Form navigations with target=_blank should not have an opener (unless rel="opener" is specified
on the <form>), similarly to link navigations. This is a bit better for security as Web developers
may not realize that popups opened via target=_blank get an opener link by default and do things
like post messages to their opener, or navigate it. Not having an opener relationship also enables
us to process-swap in more cases for better site isolation.

This behavior is behind the same experimental feature flag as the behavior for anchors with target=_blank
since WebKit is the only engine implementing this at the moment (despite this behavior having been
standardized).

No new tests, updated existing tests.

* html/HTMLFormElement.cpp:
(WebCore::parseFormRelAttributes):
(WebCore::HTMLFormElement::submit):


Canonical link: https://commits.webkit.org/243513@main
git-svn-id: https://svn.webkit.org/repository/webkit/trunk@284821 268f45cc-cd09-0410-ab3c-d52691b4dbfc
  • Loading branch information
cdumez committed Oct 25, 2021
1 parent 88097ab commit 82c4eeb93f2e140bf710266110410c66e9bc817d
Showing 11 changed files with 72 additions and 13 deletions.
@@ -1,6 +1,6 @@
<html> <!-- webkit-test-runner [ JavaScriptCanOpenWindowsAutomatically=false ] -->
<body>
<form action="resources/popup-allowed-from-gesture-initiated-form-submit-target.html" method="post" target="_blank">
<form action="resources/popup-allowed-from-gesture-initiated-form-submit-target.html" method="post" target="_blank" rel="opener">
<input id="button" type="submit" value="Click Here" />
</form>
<div id="console">FAIL</div>
@@ -7,11 +7,11 @@
<p>
This test will click the first submit button twice, then press the space bar on the second submit button twice. Both should popup two blank windows.
</p>
<form action="resources/submit-to-blank-multiple-times-form-action.html" target="_blank">
<form action="resources/submit-to-blank-multiple-times-form-action.html" target="_blank" rel="opener">
<input name="nextOp" id="nextOp" type="hidden">
<input name="submit" id="submit" type="submit">
</form>
<form action="resources/submit-to-blank-multiple-times-form-action.html" target="_blank">
<form action="resources/submit-to-blank-multiple-times-form-action.html" target="_blank" rel="opener">
<input name="nextOp" id="nextOpKey" type="hidden">
<input name="submit" id="submitKey" type="submit">
</form>
@@ -27,7 +27,8 @@
var f = document.createElement('form');
f.action = "http://127.0.0.1:8000/cookies/resources/post-cookies-to-opener.py";
f.method = "POST";
f.target = "_blank"
f.target = "_blank";
f.rel = "opener";
window.onload = t.step_func(f.submit.bind(f));
document.body.appendChild(f);
}, "'127.0.0.1' is not same-site with 'localhost', so samesite cookies are not sent via POST.");
@@ -26,6 +26,7 @@
f.action = "http://127.0.0.1:8000/cookies/resources/post-cookies-to-opener.py";
f.method = "POST";
f.target = "_blank";
f.rel = "opener";
window.onload = t.step_func(f.submit.bind(f));
document.body.appendChild(f);
}, "'127.0.0.1' is same-site with itself, so samesite cookies are sent via POST.");
@@ -1,3 +1,20 @@
2021-10-25 Chris Dumez <cdumez@apple.com>

Form navigations with target=_blank should not have an opener
https://bugs.webkit.org/show_bug.cgi?id=232243

Reviewed by Sam Weinig.

Merge https://github.com/web-platform-tests/wpt/pull/31368 from upstream WPT to fix outdated expectations in
WPT tests.

* web-platform-tests/content-security-policy/form-action/form-action-self-allowed-target-blank.html:
* web-platform-tests/content-security-policy/form-action/form-action-src-allowed-target-blank.sub.html:
* web-platform-tests/content-security-policy/form-action/form-action-src-redirect-allowed-target-blank.sub.html:
* web-platform-tests/html/semantics/forms/form-submission-target/resources/reltester.js:
(formUsesTargetBlank):
(relTester):

2021-10-25 Chris Dumez <cdumez@apple.com>

imported/w3c/web-platform-tests/html/semantics/forms/form-submission-0/form-submission-algorithm.html is timing out
@@ -10,7 +10,8 @@
<body>
<form action='/content-security-policy/support/postmessage-pass-to-opener.html'
id='form_id'
target="_blank">
target="_blank"
rel="opener">
</form>

<p>
@@ -25,10 +25,9 @@
</script>
</head>
<body onload="OnDocumentLoaded();">
<form id="form" method="GET" target="_blank">
<form id="form" method="GET" target="_blank" rel="opener">
<input type="hidden" name="message" value="DocumentNotBlocked">
<input type="submit" id="submit">
</form>
</body>
</html>

@@ -26,9 +26,8 @@
</script>
</head>
<body onload="OnDocumentLoaded();">
<form id="form" method="POST" target="_blank">
<form id="form" method="POST" target="_blank" rel="opener">
<input type="submit" id="submit">
</form>
</body>
</html>

@@ -1,3 +1,19 @@
function formUsesTargetBlank(submitter) {
if (submitter.formTarget && submitter.formTarget === "_blank") {
return true;
}
if (submitter.form && submitter.form.target === "_blank") {
return true;
}
if (submitter.target && submitter.target === "_blank") {
return true;
}
if (submitter.getRootNode().querySelector("base").target === "_blank") {
return true;
}
return false;
}

function relTester(submitter, channelInput, title) {
[
{
@@ -51,7 +67,8 @@ function relTester(submitter, channelInput, title) {
} else {
assert_equals(e.data.referrer, "", "referrer");
}
if (relTest.exposed === "all") {
// When rel is not explicitly given, account for target=_blank defaulting to noopener
if (relTest.exposed === "all" && !(relTest.rel === "" && formUsesTargetBlank(submitter))) {
assert_true(e.data.haveOpener, "opener");
} else {
assert_false(e.data.haveOpener, "opener");
@@ -1,3 +1,26 @@
2021-10-25 Chris Dumez <cdumez@apple.com>

Form navigations with target=_blank should not have an opener
https://bugs.webkit.org/show_bug.cgi?id=232243

Reviewed by Sam Weinig.

Form navigations with target=_blank should not have an opener (unless rel="opener" is specified
on the <form>), similarly to link navigations. This is a bit better for security as Web developers
may not realize that popups opened via target=_blank get an opener link by default and do things
like post messages to their opener, or navigate it. Not having an opener relationship also enables
us to process-swap in more cases for better site isolation.

This behavior is behind the same experimental feature flag as the behavior for anchors with target=_blank
since WebKit is the only engine implementing this at the moment (despite this behavior having been
standardized).

No new tests, updated existing tests.

* html/HTMLFormElement.cpp:
(WebCore::parseFormRelAttributes):
(WebCore::HTMLFormElement::submit):

2021-10-25 Alex Christensen <achristensen@webkit.org>

WebKit ought to be able to play videos without Content-Length HTTP header fields and without range support
@@ -73,6 +73,7 @@ using namespace HTMLNames;
struct FormRelAttributes {
bool noopener { false };
bool noreferrer { false };
bool opener { false };
};

static FormRelAttributes parseFormRelAttributes(StringView string)
@@ -83,6 +84,8 @@ static FormRelAttributes parseFormRelAttributes(StringView string)
attributes.noopener = true;
else if (equalIgnoringASCIICase(token, "noreferrer"))
attributes.noreferrer = true;
else if (equalIgnoringASCIICase(token, "opener"))
attributes.opener = true;
}
return attributes;
}
@@ -425,9 +428,7 @@ void HTMLFormElement::submit(Event* event, bool activateSubmitButton, bool proce
return;

auto relAttributes = parseFormRelAttributes(getAttribute(HTMLNames::relAttr));
// FIXME: According to the specification, having `target=blank` without `rel="opener"` should suppress the opener.
// However, this is not currently implemented as it is causing some WPT tests to fail (https://github.com/whatwg/html/issues/7256).
if (relAttributes.noopener || relAttributes.noreferrer)
if (relAttributes.noopener || relAttributes.noreferrer || (!relAttributes.opener && document().settings().blankAnchorTargetImpliesNoOpenerEnabled() && equalIgnoringASCIICase(formSubmission->target(), "_blank")))
formSubmission->setNewFrameOpenerPolicy(NewFrameOpenerPolicy::Suppress);
if (relAttributes.noreferrer)
formSubmission->setReferrerPolicy(ReferrerPolicy::NoReferrer);

0 comments on commit 82c4eeb

Please sign in to comment.