- From: Brad Hill <hillbrad@gmail.com>
- Date: Wed, 07 Jan 2015 19:56:16 +0000
- To: Boris Zbarsky <bzbarsky@mit.edu>, public-webappsec@w3.org
- Message-ID: <CAEeYn8igmA4q1LcOfb3h-7i7CtsbFfsOXk_w0ackOc=v2Av8Bw@mail.gmail.com>
Ah. Thanks for the pointer to that discussion. If that behavior is mandated by rel="noreferrer", I definitely think we should apply the same logic when a referrer policy is 'none', but it seems it would also be useful to be able to combine with any policy. (e.g. send origin-only referrer but also disown window.opener) On Wed Jan 07 2015 at 11:21:14 AM Boris Zbarsky <bzbarsky@mit.edu> wrote: > On 1/7/15 1:58 PM, Brad Hill wrote: > > Basically, Site X has a link to Site Y that opens in a new tab. Site Y > > can then use window.opener.navigate to change the tab that used to > > contain Site X to something else in the background. The user may not > > notice this switcheroo and can be possibly exploited when they go back > > to the tab expecting it is still Site X. > > > > The only current mitigation is for Site X to open the new tab to a > > location it controls first > > Or using rel="noreferrer" on the link, right? > > This issue was discussed at > http://lists.w3.org/Archives/Public/public-whatwg-archive/ > 2015Jan/0002.html > over the last few days. > > > I wonder what people think of possibly adding an additional directive to > > referrer-policy, "disown-window-opener", that instructs the user agent > > to apply https://html.spec.whatwg.org/#disowned-its-opener automatically > > as it performs a navigation. > > So effectively treat all links in the document as rel="noreferrer"? > > -Boris > >
Received on Wednesday, 7 January 2015 19:56:44 UTC