New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 651578 link

Starred by 4 users
Status: Fixed
Owner:
mkwst@chromium.org
Buried. Ping if important.
Closed: Oct 2016
Cc:
dominicc@chromium.org
brajkumar@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug



Sign in to add a comment

window.open() with noopener option has incorrect return value

Reported by bzbar...@mit.edu, Sep 29 2016 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0

Example URL:

Steps to reproduce the problem:
1. var w = window.open("", "", "noopener")
2. alert(w)

What is the expected behavior?
Alerts null, per spec.

What went wrong?
Alerts undefined.

Does it occur on multiple sites: Yes

Is it a problem with a plugin? No 

Did this work before? No 

Does this work in other browsers? N/A 

Chrome version: 55.0.2873.4 (Official Build) dev (64-bit)  Channel: n/a
OS Version: OS X 10.10
Flash Version: Shockwave Flash 23.0 r0

Comment 1 by schenney@chromium.org, Sep 30 2016

Components: -Blink Blink>Bindings

Comment 2 by schenney@chromium.org, Sep 30 2016

Cc: mkwst@chromium.org

Comment 3 Deleted

Project Member

Comment 4 by bugdroid1@chromium.org, Oct 6 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5

commit 2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5
Author: mkwst <mkwst@chromium.org>
Date: Thu Oct 06 10:14:53 2016

Fix 'noopener' targeting and return value.

Boris noted a few cases in which Chrome wasn't following the spec for
'noopener'. This patch addresses two of them by ensuring that the call
to 'window.open' return 'null' (rather than 'undefined'), and that we
don't reuse existing windows when processing a 'noopener' request.

BUG= 651578 ,651579

Review-Url: https://codereview.chromium.org/2379313002
Cr-Commit-Position: refs/heads/master@{#423493}

[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/content/test/data/click-noreferrer-links.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-different-frames-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-different-frames.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-button-click-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-button-click.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-focus-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-focus.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-user-gesture-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-user-gesture.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-untrusted-click-event-on-anchor-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-untrusted-click-event-on-anchor.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-wrong-event-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-wrong-event.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers3-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers3.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers4-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers4.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers6-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers6.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name-denied.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/html/marquee-without-frame-no-crash-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/html/marquee-without-frame-no-crash.html
[add] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/http/tests/security/rel-noopener/window-open.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/Source/core/page/CreateWindow.cpp

Comment 5 by dominicc@chromium.org, Oct 7 2016

Cc: dominicc@chromium.org
 Issue 652640  has been merged into this issue.

Comment 6 by phistuck@chromium.org, Oct 7 2016

Labels: Hotlist-Interop

Comment 7 by brajkumar@chromium.org, Oct 10 2016

Cc: brajkumar@chromium.org
Labels: Needs-Feedback
Tested this issue on Mac OS 10.12 and Ubuntu 14.04 using chrome latest Dev #55.0.2883.6 by following mentioned steps below.

1. Switched to chrome console
2. Typed var w = window.open("", "", "noopener")
3. Alerts undefined and opens a new about:blank dialog

There is no alert seen saying null in the console as expected. Could anyone let us know the above steps is the right way to verify this issue?

Comment 8 by phistuck@gmail.com, Oct 10 2016 

1. You missed the alert(w) statement.
2. The console implicitly adds a user gesture flag to the running code, which means a new tab or a popup window will actually show up, which would probably make the alert say [object Object] instead of null.

Create an HTML file that has this -
<!doctype html><script>setTimeout(
function()
{
 var w = window.open("", "", "noopener");
 alert(w);
}, 5000);
</script>

Open it in Chrome and wait five seconds. Does that show null?

Comment 9 by brajkumar@chromium.org, Oct 10 2016 

Yes, It displays saying null for the provided html file.
Screen Shot 2016-10-10 at 4.34.39 PM.png
18.5 KB View Download

Comment 10 by phistuck@gmail.com, Oct 10 2016 

Great, fixed.

Comment 11 by phistuck@gmail.com, Oct 10 2016 

Sorry - do you also see a blocked popup indication?

Comment 12 by brajkumar@chromium.org, Oct 10 2016 

Yes, It shows a blocked pop-up indication while opening the page.

Comment 13 by brajkumar@chromium.org, Oct 10 2016 

phistuck@ - Could you please change the status of the bug since it got fixed on latest Dev.

Comment 14 by phistuck@gmail.com, Oct 10 2016 

I will let mkwest@ do that, as he fixed it.

Comment 15 by manoranj...@chromium.org, Oct 10 2016

Labels: -Needs-Feedback TE-Verified-M55 TE-Verified-55.0.2883.6 M-55

Comment 16 by rbyers@chromium.org, Oct 24 2016

Cc: -mkwst@chromium.org
Components: -Blink>Bindings Blink>WindowDialog
Labels: -OS-Mac OS-All
Owner: mkwst@chromium.org
Status: Fixed (was: Unconfirmed)
This is definitely fixed, marking as such.
Project Member

Comment 17 by bugdroid1@chromium.org, Oct 27 2016

Labels: merge-merged-2840
The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5

commit 2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5
Author: mkwst <mkwst@chromium.org>
Date: Thu Oct 06 10:14:53 2016

Fix 'noopener' targeting and return value.

Boris noted a few cases in which Chrome wasn't following the spec for
'noopener'. This patch addresses two of them by ensuring that the call
to 'window.open' return 'null' (rather than 'undefined'), and that we
don't reuse existing windows when processing a 'noopener' request.

BUG= 651578 ,651579

Review-Url: https://codereview.chromium.org/2379313002
Cr-Commit-Position: refs/heads/master@{#423493}

[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/content/test/data/click-noreferrer-links.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-different-frames-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-different-frames.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-button-click-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-button-click.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-focus-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-focus.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-user-gesture-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-fake-user-gesture.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-untrusted-click-event-on-anchor-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-untrusted-click-event-on-anchor.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-wrong-event-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocked-from-wrong-event.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers3-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers3.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers4-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers4.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers6-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/events/popup-blocking-timers6.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/frames/sandboxed-iframe-navigation-top-by-name-denied.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/html/marquee-without-frame-no-crash-expected.txt
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/fast/html/marquee-without-frame-no-crash.html
[add] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/LayoutTests/http/tests/security/rel-noopener/window-open.html
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/Source/bindings/core/v8/custom/V8WindowCustom.cpp
[modify] https://crrev.com/2fde9de3e9ffe7794844ddf9ea3640c5b418b6e5/third_party/WebKit/Source/core/page/CreateWindow.cpp

Comment 18 by dimu@google.com, Nov 4 2016

Labels: -merge-merged-2840
[Automated comment] removing mislabelled merge-merged-2840

Sign in to add a comment