ALLOWPOPUPS_HTML_CHECK

Luca Carettoni edited this page Jan 16, 2019 · 1 revision

ALLOWPOPUPS_HTML_CHECK - Do not allow popups in webview

When the allowpopups attribute is present, the guest page will be allowed to open new windows. Popups are disabled by default.


Risk

Disabling popups reduces the risk of UI-redressing attacks and limits the exploitability of window abuses. Additionally, popups are often used for intrusive advertising and persistency in JavaScript-based attacks.

Auditing

Search for the specific allowpopups blinkfeatures attribute in webview tags:

<webview src="https://doyensec.com/" allowpopups></webview>

References

You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.