Closed
Bug 1094449
Opened 10 years ago
Closed 10 years ago
links opened with rel="noreferrer nofollow" do not set window.opener to null, send over referrer information
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
VERIFIED
FIXED
mozilla36
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | fixed |
People
(Reporter: kennysanx, Assigned: bzbarsky)
References
Details
Attachments
(1 file)
|
2.40 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141027150301 Steps to reproduce: Visit http://www.makesomeday.today/rel.html in Firefox 33/Firefox Beta 34 click on the link Actual results: Clicking on the link opens a new tab to http://66.228.47.213/landpage.html which contains a script that sets window.opener.location = https://www.google.com, which sets the parent tab location to google.com. Observe in the net inspector that referrer information is transferred in the request, and window.opener is not set to null. If you edit http://www.makesomeday.today/rel.html and change the link attribute to only rel="noreferrer", clicking on the link does not transmit referral info and also sets window.opener to null. Expected results: 1) No referrer information is transmitted in the request to open http://66.228.47.213/landpage.html 2) window.opener is set to null 3) The parent window (makesomeday.today/rel.html) should not redirect to google.com)
|
||
Updated•10 years ago
|
Component: Untriaged → Document Navigation
Product: Firefox → Core
|
Assignee | |
Comment 1•10 years ago
|
||
Looks like nsDocShell::OnLinkClickSync is checking for the attribute value being "noreferrer". It should be checking that one of the tokens in the value is noreferrer. I don't think this is a security bug, fwiw.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Hey Boris sorry--I agree that this isn't particularly sensitive. This is my first time submitting a bug to Mozilla and I didn't really reflect too much on that checkbox at the end.
|
|
Assignee | |
Comment 3•10 years ago
|
||
No need to apologize. It's not obvious that this is not a security bug (which is why I haven't unchecked the checkbox; I _think_ this is not an issue we need to keep hidden, but I could well be wrong). And thank you very much for reporting this, by the way!
|
||
Comment 4•10 years ago
|
||
Please remove the sec-other keyword if you think this may be a security issue after all.
Keywords: sec-other
|
|
Assignee | |
Comment 5•10 years ago
|
||
Attachment #8526517 -
Flags: review?(bugs)
|
|
Assignee | |
Updated•10 years ago
|
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
|
||
Comment 6•10 years ago
|
||
Comment on attachment 8526517 [details] [diff] [review] Treat @rel on anchors as a set of space-separated tokens, not a single token bah, I should have caught this while reviewing.
Attachment #8526517 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 7•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/125c6f4823e5
Target Milestone: --- → mozilla36
|
||
Comment 8•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/125c6f4823e5
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox36:
--- → fixed
Resolution: --- → FIXED
|
|
||
Comment 9•10 years ago
|
||
Bug 530396 landed in Firefox 33, is it worth uplifting this fix?
|
|
||
Comment 10•10 years ago
|
||
Now that we have this fixed it would be nice to have this in release notes. [Why is this notable]: This is a great privacy feature if you link to a (external) site on blog or forum posts. [Suggested wording]: Support for the rel="noreferrer" attribute added [Links (documentation, blog post, etc)]: https://developer.mozilla.org/en-US/docs/Web/HTML/Link_types https://developer.mozilla.org/en-US/docs/Web/HTML/Element/a (In reply to :Gavin Sharp [email: gavin@gavinsharp.com] from comment #9) > Bug 530396 landed in Firefox 33, is it worth uplifting this fix? For Firefox 33 it's to late, but we should ship this fix to release soon. I think this feature will be primarily used on external links and mostly they open in a new tab. So a lot of people run in this issue.
Status: RESOLVED → VERIFIED
relnote-firefox:
--- → ?
|
||
Comment 11•9 years ago
|
||
Added to the 36 release notes with "Link rel="noreferrer" attribute implemented" as wording.
|
|
Assignee | |
Comment 12•9 years ago
|
||
That's not the right wording. rel="noreferrer" was implemented in firefox 33. The right wording for this bug is: Fix bug with rel="noreferrer" being ignored if the rel value contains other tokens as well.
Flags: needinfo?(sledru)
|
|
||
Comment 13•9 years ago
|
||
ok. That is not worth release notes that. Thanks.
relnote-firefox:
36+ → ---
Flags: needinfo?(sledru)
You need to log in
before you can comment on or make changes to this bug.
Description
•