-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cross-Origin-Opener-Policy: change defaults to not expose the opener #4600
Comments
Note that we could consider doing this even if Another problem might be deciding what to do here for the reporting mode (assuming we can figure out something agreeable there). |
I'd be a little wary of requiring developers to make application changes in this case; it would mean that even a less strict version of COOP with
It seems okay to expect developers to explicitly set |
I don't think the latter can ever be permitted as part of the threat model here is that the site specifying |
Are you talking about the restrictive "CORP-P" case where we'd use COOP as a way to ensure that all your cross-origin links would open in a different browsing context group? If so, then I see your point, but since we'd have to disallow or ignore |
Hmm, |
The main danger I see is that developers could unwittingly add One thing I'd prefer to avoid is requiring developers who specify If you don't like |
Yeah, I think the current model is best given the constraints imposed by "legacy" adoption. Perhaps flipping the default on openers could be yet another toggle. |
Closing per the above discussion. If an additional toggle would be worth having please do say so, though this might be good as a document policy (per the ongoing Feature Policy revamp) instead. |
When
Cross-Origin-Opener-Policy
: * unsafe-allow-outgoing
is specified the current context can open windows cross-origin and they will get a reference to the opener.This behavior can be avoided by setting
rel=noopener
in alla
tags and have thewindow.open
noopener
feature set to "yes" or manually assigningnull
theopener
property after opening.This makes every call to
window.open
and everya
tag a potential vulnerability, making it much easier for developers to get this wrong.My proposal is to change default behaviors and automatically set "noopener" to all links and
window.open
calls, requiring developers to specify arel="opener"
ona
tags andopener=yes
onwindow.open
features.Note: the "opener" value was already proposed to address similar unsafe defaults on
_blank
targets.@annevk raised a concern about this proposal because it could make it harder to deploy COOP, I wonder how many applications that are interested in COOP are also willing to give away window references. I'll update this bug as soon as I have data about it.
/cc @arturjanc @mikewest
The text was updated successfully, but these errors were encountered: