Open mikewest opened 7 years ago
That would not cover <form>
. Patching "the rules for choosing a browsing context" where the value is actually used seems slightly better, though would affect window.open()
as well.
I see.
I didn't look at "the rules for choosing a browsing context" because I'm not sure whether affecting window.open()
is reasonable. I vaguely recall weird ad networks using the window name to transfer data across the window boundary. Not sure if that's done a priori via targeting, or after the fact by setting window.name
.
Okay, it seems like we should make sure it affects both <form>
and <a>
/<area>
though. There's some opportunity there to deduplicate a bit of target handling so that would probably work out well.
Ok. If none of the fine folks CC'd here object fundamentally, I'll try to put together a patch and some tests.
As noted in http://www.w2spconf.com/2012/papers/w2sp12-final11.pdf and discussed a bit in https://github.com/w3c/webappsec-csp/issues/186, an unclosed
target
attribute of<base>
can inadvertently suck up large chunks of the remainder of the page, using them as thewindow.name
of any navigations triggered by the page.https://www.chromestatus.com/metrics/feature/timeline/popularity/1761 shows that, for Chrome users, the
target
attribute contains a\n
character approximately 0% of the time. Perhaps it would be reasonable to simply restrict such values from being used as atarget
. For example, we could do something like changing step 5 of https://html.spec.whatwg.org/#following-hyperlinks-2 to use thetarget
attribute iff it doesn't contain a\n
character.WDYT, @mozfreddyb, @johnwilander, @travisleithead, etc?