Open
Bug 1321305
Opened 8 years ago
Updated 2 years ago
Show a modal warning, when a window wants to manipulate its opener
Categories
(Core :: DOM: Security, defect, P5)
Core
DOM: Security
Tracking
()
UNCONFIRMED
People
(Reporter: bugzilla, Unassigned)
Details
(Whiteboard: [domsecurity-backlog])
This is a feature request resulting from this discussion in the WHATWG HTML issue tracker: https://github.com/whatwg/html/issues/2119 The problem is, that rel=noopener is not the perfect solution to mitigate the non-trivial security problem, when a window accesses and manipulates its opener window. Proposed solution: If a window A opens a new window B, and if both windows do not share the same origin, then: * detect, when B wants to access and/or modify A's window object * if it does, block the action and present the user with a modal warning in A, asking for allowance The warning could be similar to the ones when entering fullscreen mode or when asking for location information. This solution addresses the problem, that cross-origin access to the parent window object is inherently unsafe, but seems to be used in some OAuth workflows, which rules out plainly disallowing this practice.
|
||
Comment 1•8 years ago
|
||
Small remark: I made this suggestion in the Github issue, but I didn't intend the notification to completely block the action. Instead I think it should just provide a notification that the window object has been manipulated, in a similar fashion as the fullscreen notification works. Fully blocking the action will result in poor UX for (e.g.) Oauth flows, which I don't think is desirable (at least not without a secure alternative).
I think a blocking dialog is better than a notification, because the "poor UX" would encourage web sites to find a more secure way to implement OAuth. Cross origin opener is different from fullscreen, because the former is what we want to remove from the web one day.
|
|
||
Comment 3•8 years ago
|
||
I also submitted the issue to issue trackers of Chromium & Edge: https://bugs.chromium.org/p/chromium/issues/detail?id=670203 https://developer.microsoft.com/en-us/microsoft-edge/platform/issues/10022307/
|
||
Updated•7 years ago
|
Priority: -- → P5
Whiteboard: [domsecurity-backlog]
|
Reporter | |
Comment 4•3 years ago
|
||
mozilla.de changed since this bug was opened. I’m closing it therefore.
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 5•3 years ago
|
||
Sorry for the fuss! Wrong bug.
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•