Open
Bug 1433352
Opened 7 years ago
Updated 1 year ago
window.open() needs to support referrerpolicy
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: dveditz, Unassigned)
Details
(Whiteboard: [domsecurity-backlog3])
Attachments
(1 obsolete file)
window.open() does not appear to support referrerpolicy. Haven't looked up what the spec says but given Referrer Policy for pages and referrerpolicy attribute for links and fetch() it really needs to do so. Seems a natural for the third "Windows Features" argument to window.open().
|
||
Comment 1•7 years ago
|
||
Looks to me like the hook into the HTML spec suggests it should change a navigation: https://www.w3.org/TR/referrer-policy/#integration-with-html
The HTML spec says:
"The open(url, target, features) method on Window objects provides a mechanism for navigating an existing browsing context or opening and navigating an auxiliary browsing context."
|
||
Comment 2•7 years ago
|
||
So you want to override the document's referrer policy with a new referrerpolicy feature for window.open(), similar to how you can override it on <img> with a referrerpolicy attribute?
Or do you mean that window.open() should use the document's referrer policy?
If the former, it seems we should work with other browsers on standardizing that approach first. (Somewhat related: we're still dealing with fallout from adding noopener as a feature for window.open().)
|
Reporter | |
Comment 3•7 years ago
|
||
I assume window.open() _already_ follows the document's referrer policy. If it does not that's clearly a bug and a hole in our referrerpolicy implementation.
Since we've found it useful to override the document's referrer policy in may other cases, including the analogous ways of opening a "popup" then adding it to window.open() seems appropriate. Yes, we should attempt to standardize this.
Severity: normal → enhancement
Priority: -- → P3
Whiteboard: [domsecurity-backlog3]
|
||
Comment 4•7 years ago
|
||
Dan, are you saying that window.open doesn't support the user set about:config referrer policy, or does not respect the referrer policy set by the parent document? If the former, then that seems pretty bad to me.
Flags: needinfo?(dveditz)
|
|
||
Comment 5•7 years ago
|
||
He means that you cannot control it for window.open() the way you can with <img referrerpolicy=...>.
Flags: needinfo?(dveditz)
|
||
Updated•2 years ago
|
Severity: normal → S3
|
|
||
Updated•1 year ago
|
Attachment #9384923 -
Attachment is obsolete: true
You need to log in
before you can comment on or make changes to this bug.
Description
•