New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Way to disown window.opener and become a secure context #517

Closed
jakearchibald opened this Issue Jul 25, 2016 · 5 comments

Comments

Projects
None yet
4 participants
@jakearchibald
Copy link

jakearchibald commented Jul 25, 2016

Similar to #139 but for this window.

If http://example.com contains:

<h1>Check out thes cooool web appz:</h1>
<ul>
  <li><a href="https://jakearchibald.github.io/svgomg/" target="_blank">SVGOMG</a></li>
  …
</ul>

…and the user clicks on that link, I can't use geolocation because I'm not a secure context. It'd be nice to prevent that.

Unfortunately we'll need a different mechanism for service worker, which needs to be secure before handling the navigation fetch.

mikewest added a commit to w3c/webappsec-csp that referenced this issue Jul 25, 2016

Stubbing out 'disown-opener'.
w3c/webappsec#517 asked for this, and it's a totally reasonable thing to do.
But, w3c/webappsec#139 asked for the inverse ('disown-openee' or something),
and it's not clear to me whether there's a good syntax that might encompass
both.

Leaving both tickets open until we come up with something we're happy with.
Until then, puttign this stub in place.
@delapuente

This comment has been minimized.

Copy link

delapuente commented Jul 26, 2016

I think you mean a link with target="_blank". Does not it?

@jakearchibald

This comment has been minimized.

Copy link

jakearchibald commented Jul 29, 2016

Oops, yep. Updated.

@yoavweiss

This comment has been minimized.

Copy link
Contributor

yoavweiss commented Aug 5, 2016

Unfortunately we'll need a different mechanism for service worker, which needs to be secure before handling the navigation fetch.

Can we make that value "sticky" so that sites that declare it once (perhaps with a certain max-age) will have this property when opened later? That way sites can add this opener opt-out on the initial navigation, and SW would be able to use the same opt-out.

@yoavweiss

This comment has been minimized.

Copy link
Contributor

yoavweiss commented Aug 5, 2016

At the same time, auto-disowning opener is probably a good idea on its own.

@annevk

This comment has been minimized.

Copy link
Member

annevk commented Dec 10, 2018

Superseded by whatwg/html#4078 and whatwg/html#3740.

@annevk annevk closed this Dec 10, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment