W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Adding window.opener control to referrer-policy?

From: Boris Zbarsky <bzbarsky@mit.edu>
Date: Wed, 07 Jan 2015 14:18:42 -0500
Message-ID: <54AD8692.1040006@mit.edu>
To: public-webappsec@w3.org
On 1/7/15 1:58 PM, Brad Hill wrote:
> Basically, Site X has a link to Site Y that opens in a new tab.  Site Y
> can then use window.opener.navigate to change the tab that used to
> contain Site X to something else in the background.  The user may not
> notice this switcheroo and can be possibly exploited when they go back
> to the tab expecting it is still Site X.
>
> The only current mitigation is for Site X to open the new tab to a
> location it controls first

Or using rel="noreferrer" on the link, right?

This issue was discussed at 
http://lists.w3.org/Archives/Public/public-whatwg-archive/2015Jan/0002.html 
over the last few days.

> I wonder what people think of possibly adding an additional directive to
> referrer-policy, "disown-window-opener", that instructs the user agent
> to apply https://html.spec.whatwg.org/#disowned-its-opener automatically
> as it performs a navigation.

So effectively treat all links in the document as rel="noreferrer"?

-Boris
Received on Wednesday, 7 January 2015 19:19:12 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC