W3C home > Mailing lists > Public > public-webappsec@w3.org > January 2015

Re: Adding window.opener control to referrer-policy?

From: Brad Hill <hillbrad@gmail.com>
Date: Wed, 07 Jan 2015 19:56:16 +0000
Message-ID: <CAEeYn8igmA4q1LcOfb3h-7i7CtsbFfsOXk_w0ackOc=v2Av8Bw@mail.gmail.com>
To: Boris Zbarsky <bzbarsky@mit.edu>, public-webappsec@w3.org
Ah.  Thanks for the pointer to that discussion.  If that behavior is
mandated by rel="noreferrer", I definitely think we should apply the same
logic when a referrer policy is 'none', but it seems it would also be
useful to be able to combine with any policy. (e.g. send origin-only
referrer but also disown window.opener)

On Wed Jan 07 2015 at 11:21:14 AM Boris Zbarsky <bzbarsky@mit.edu> wrote:

> On 1/7/15 1:58 PM, Brad Hill wrote:
> > Basically, Site X has a link to Site Y that opens in a new tab.  Site Y
> > can then use window.opener.navigate to change the tab that used to
> > contain Site X to something else in the background.  The user may not
> > notice this switcheroo and can be possibly exploited when they go back
> > to the tab expecting it is still Site X.
> >
> > The only current mitigation is for Site X to open the new tab to a
> > location it controls first
>
> Or using rel="noreferrer" on the link, right?
>
> This issue was discussed at
> http://lists.w3.org/Archives/Public/public-whatwg-archive/
> 2015Jan/0002.html
> over the last few days.
>
> > I wonder what people think of possibly adding an additional directive to
> > referrer-policy, "disown-window-opener", that instructs the user agent
> > to apply https://html.spec.whatwg.org/#disowned-its-opener automatically
> > as it performs a navigation.
>
> So effectively treat all links in the document as rel="noreferrer"?
>
> -Boris
>
>
Received on Wednesday, 7 January 2015 19:56:44 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:09 UTC