Show a fullscreen-like notification when a window navigates its opener
Reported by
tiddolan...@gmail.com,
Dec 1 2016
|
|||||||||
Issue descriptionUserAgent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Steps to reproduce the problem: N.v.t. (not a bug) What is the expected behavior? What went wrong? N.v.t. (not a bug) Did this work before? N/A Does this work in other browsers? No Similar issue on bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1321305 Chrome version: 54.0.2840.90 Channel: stable OS Version: Fedora 23 Flash Version: This is a feature request resulting from this discussion in the WHATWG HTML issue tracker: https://github.com/whatwg/html/issues/2119 The problem is, that rel=noopener is not the perfect solution to mitigate the non-trivial security problem, when a window accesses and manipulates its opener window. Proposed solution: If a window A opens a new window B, and if both windows do not share the same origin, then: * detect, when B wants to access and/or modify A's window object * if it does, block the action and present the user with a modal warning in A, asking for allowance The warning could be similar to the ones when entering fullscreen mode or when asking for location information. This solution addresses the problem, that cross-origin access to the parent window object is inherently unsafe, but seems to be used in some OAuth workflows, which rules out plainly disallowing this practice.
,
Dec 1 2016
Some notes: * Opera Presto restricted navigation for HTTPS pages. This is not a good solution for a future where we want all pages to use HTTPS. It probably does not cater to the current OAuth pages either. * Mobile browsers often re-display the address field if navigation occurs, so the user at least has a chance to see it. Whether or not the user pays attention to it is another matter. * Any implementation that relies on modal dialogs is undesirable, since it breaks user interaction flow, and trains users to blindly click "OK" on any dialog they see. Alternative solutions: * If cross-origin opener navigation is initiated, the new URL could be opened as a new tab instead (this might be abused as a way to open unrequested popups, but perhaps could be limited to just one, or use the popup blocker click detection in some way). * Highlight the address field when the opener tab is next focused, to draw the user's attention to it. (UI fix rather than engine fix.) * Rather than just tying it to the cross-origin nature of the .opener and .self, it could also be related to whether the new URL would have a different origin to the original URL in the .opener. Eg. foo.com opens example.com in a popup, example.com tries to say .opener.location='http://foo.com/bar', this could be allowed because it does not change the origin of the opener. This should reduce the number of false positives, and might allow some more of those OAuth pages to work seamlessly.
,
Dec 1 2016
> Any implementation that relies on modal dialogs is undesirable, since it breaks user interaction flow I think that this is actually something good, since it stimulates web-developers to use alternative, safer mechanisms. The biggest problem would be the transition period. I think that a decent timeline would be to start out with a not-too-intrusive solution (any of your proposed solution will do), after which WHATWG can work on a proper mechanism to "authorize" safe use of `window.opener`. When this is in place then the not-too-intrusive solution can be replaced with an intrusive solution. By then web developers will have an alternative which they can migrate to.
,
Dec 1 2016
Tagging as Feature request.
,
Dec 5 2016
,
Dec 6 2016
This seems like festure request and hence marking it as untriaged.
,
Feb 23 2017
CCing some Enamel folks.
,
Apr 17 2017
(UI>Browser>Navigation label only sort of makes sense; not sure where else to put this) I think that some kind of fullscreen-like notification could work, but we'd have to think carefully about what it should say and when it fire so that it would be effective. I like the idea in comment 2 about only firing if the opener is navigated cross-origin. If we show it less often in common harmless scenarios, users will pay more attention when they see it.
,
Nov 10 2017
,
Feb 18 2018
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by tiddolan...@gmail.com
, Dec 1 2016