Skip to content

[url_launcher_web] Disallows launching "javascript:" URLs. #5180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Oct 23, 2023
Merged

[url_launcher_web] Disallows launching "javascript:" URLs. #5180

merged 3 commits into from
Oct 23, 2023

Conversation

ditman
Copy link
Member

@ditman ditman commented Oct 19, 2023

This PR updates the URL launcher to:

  • Implement the new launchUrl method.
  • Disallow launch and launchUrl for URLs with the javascript: scheme.
  • Prevent Tabnabbing.

Issues

Fixes flutter/flutter#136657

Tests

Integration tests (and mocks) updated.

Pre-launch Checklist

  • I read the Contributor Guide and followed the process outlined there for submitting PRs.
  • I read the Tree Hygiene wiki page, which explains my responsibilities.
  • I read and followed the relevant style guides and ran the auto-formatter. (Unlike the flutter/flutter repo, the flutter/packages repo does use dart format.)
  • I signed the CLA.
  • The title of the PR starts with the name of the package surrounded by square brackets, e.g. [shared_preferences]
  • I listed at least one issue that this PR fixes in the description above.
  • I updated pubspec.yaml with an appropriate new version according to the pub versioning philosophy, or this PR is exempt from version changes.
  • I updated CHANGELOG.md to add a description of the change, following repository CHANGELOG style.
  • I updated/added relevant documentation (doc comments with ///).
  • I added new tests to check the change I am making, or this PR is test-exempt.
  • All existing and new tests are passing.

If you need help, consider asking for advice on the #hackers-new channel on Discord.

@ditman ditman requested a review from stuartmorgan-g October 19, 2023 05:15
@ditman ditman changed the title [url_launcher_web] Disallows launching the javascript scheme. [url_launcher_web] Disallows launching "javascript:" URLs. Oct 19, 2023
@ditman ditman mentioned this pull request Oct 19, 2023
Closed
mdebbar
mdebbar reviewed Oct 19, 2023
View reviewed changes
Copy link
Contributor

@mdebbar mdebbar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The code itself looks good to me, though I'm hesitant about blanket-adding noopener,noreferrer. I'm okay with making this the default behavior. But should we give developers the option to allow communication back with the main window? There could be a legit use case when the app is opening its own popup (not a user-provided URL).

@stuartmorgan-g
Copy link
Contributor

I'm hesitant about blanket-adding noopener,noreferrer. I'm okay with making this the default behavior. But should we give developers the option to allow communication back with the main window? There could be a legit use case when the app is opening its own popup (not a user-provided URL).

I had the same thought initially, but then wasn't convinced that url_launcher should be the mechanism for that use case. It's not intended to be a window management utility, and doesn't work that way on any other platform, so I think there's a good argument that if what you want to open is a page that's communicating with the main window, url_launcher isn't the plugin for you. Maybe Link's use of url_launcher changes that dynamic though? Should Link be less tightly bound to allow use of Link in those cases without using openUrl, maybe?

@ditman
Copy link
Member Author

ditman commented Oct 19, 2023

But should we give developers the option to allow communication back with the main window? There could be a legit use case when the app is opening its own popup (not a user-provided URL).

@mdebbar it's easy for us to pass a new LaunchOptions property to disable the "noreferrer, noopener" in case this breaks any user of the feature.

My two opinions, hoever:

  • if you want to call window.open without the noopener rule, you can write your own code to do so (for example: google_sign_in handles its own popup).
  • if you need to talk to a popup you opened, you should be using postMessage, so you can have a protocol that you can validate.

(Do you really think this change is a big breaking change?)

Should Link be less tightly bound to allow use of Link in those cases without using openUrl, maybe?

@stuartmorgan hmmm, I think Link does not use openUrl on the web? (but @mdebbar can confirm!) (code)

stuartmorgan-g
stuartmorgan-g approved these changes Oct 19, 2023
View reviewed changes
Copy link
Contributor

@stuartmorgan-g stuartmorgan-g left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@stuartmorgan hmmm, I think Link does not use openUrl on the web

Doh!

This LGTM then. I would at this point vote for only adding options to remove the attributes if we get significant feedback that there's a compelling case for them in the context of the intended use of url_launcher.

@ditman
Copy link
Member Author

ditman commented Oct 20, 2023

I would at this point vote for only adding options to remove the attributes if we get significant feedback that there's a compelling case for them in the context of the intended use of url_launcher.

I agree, but will wait to see how strongly @mdebbar feels about it!

mdebbar
mdebbar approved these changes Oct 23, 2023
View reviewed changes
Copy link
Contributor

@mdebbar mdebbar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Keeping an eye for user feedback sounds like a good strategy!

@ditman
Copy link
Member Author

ditman commented Oct 23, 2023

Applying autosubmit

@ditman ditman added the autosubmit Merge PR when tree becomes green via auto submit App label Oct 23, 2023
@auto-submit auto-submit bot merged commit 5c6cb75 into flutter:main Oct 23, 2023
@ditman ditman deleted the fix-url-launcher-xss branch October 23, 2023 20:21
sybrands-place pushed a commit to sybrands-place/packages that referenced this pull request Oct 24, 2023
Merge branch 'main' into webview_patchedv5
813131e 
* main: (139 commits)
  Change firebase device tests from Android api 30 to 33 (flutter#5185)
  [url_launcher] Add an `inAppBrowserView` mode (flutter#5205)
  [ci] Remove device_type property from Windows Arm64 properties (flutter#5193)
  [url_launcher_web] Disallows launching "javascript:" URLs. (flutter#5180)
  [local_auth]: Bump androidx.fragment:fragment from 1.6.0 to 1.6.1 in /packages/local_auth/local_auth_android/android (flutter#4600)
  Roll Flutter from 823e083 to 5e8b5f4 (13 revisions) (flutter#5208)
  [tool] Add optional swift-format support (flutter#5204)
  [camera] CameraPlatform.createCameraWithSettings (flutter#3615)
  Bump github/codeql-action from 2.22.3 to 2.22.4 (flutter#5201)
  Roll Flutter from 6f4850d to 823e083 (3 revisions) (flutter#5198)
  Bump actions/checkout from 4.1.0 to 4.1.1 (flutter#5167)
  Roll Flutter from 0883cb2 to 6f4850d (24 revisions) (flutter#5196)
  [ios_platform_images]  migrate objC to swift (flutter#4847)
  [in_app_pur]: Bump org.json:json from 20230618 to 20231013 in /packages/in_app_purchase/in_app_purchase_android/example/android/app (flutter#5149)
  [in_app_pur]: Bump org.json:json from 20230618 to 20231013 in /packages/in_app_purchase/in_app_purchase_android/android (flutter#5150)
  [quick_actions] convert to pigeon (flutter#5159)
  [ci] Add build-only Windows Arm64 tests (flutter#5142)
  Add '--no-tree-shake-icons' option to `BenchmarkServer` (flutter#5186)
  Roll Flutter from c2bd2c1 to 0883cb2 (24 revisions) (flutter#5192)
  [ci] Finalize migration to x64 specific Windows platform (flutter#5174)
  ...
@engine-flutter-autoroll engine-flutter-autoroll mentioned this pull request Oct 24, 2023
Merged
engine-flutter-autoroll added a commit to engine-flutter-autoroll/flutter that referenced this pull request Oct 24, 2023
@engine-flutter-autoroll
5c6cb75 [url_launcher_web] Disallows launching "javascript:" URLs. (f…
ed48a47 
…lutter/packages#5180)
auto-submit bot pushed a commit to flutter/flutter that referenced this pull request Oct 24, 2023
@engine-flutter-autoroll
Roll Packages from 4bf5114 to 2faf992 (7 revisions) (#137154)
88643f9 
flutter/packages@4bf5114...2faf992

2023-10-23 34871572+gmackall@users.noreply.github.com Change firebase device tests from Android api 30 to 33 (flutter/packages#5185)
2023-10-23 stuartmorgan@google.com [url_launcher] Add an `inAppBrowserView` mode (flutter/packages#5205)
2023-10-23 737941+loic-sharma@users.noreply.github.com [ci] Remove device_type property from Windows Arm64 properties (flutter/packages#5193)
2023-10-23 ditman@gmail.com [url_launcher_web] Disallows launching "javascript:" URLs. (flutter/packages#5180)
2023-10-23 49699333+dependabot[bot]@users.noreply.github.com [local_auth]: Bump androidx.fragment:fragment from 1.6.0 to 1.6.1 in /packages/local_auth/local_auth_android/android (flutter/packages#4600)
2023-10-23 engine-flutter-autoroll@skia.org Roll Flutter from 823e083 to 5e8b5f4 (13 revisions) (flutter/packages#5208)
2023-10-23 stuartmorgan@google.com [tool] Add optional swift-format support (flutter/packages#5204)

If this roll has caused a breakage, revert this CL and stop the roller
using the controls here:
https://autoroll.skia.org/r/flutter-packages-flutter-autoroll
Please CC flutter-ecosystem@google.com,rmistry@google.com on the revert to ensure that a human
is aware of the problem.

To file a bug in Flutter: https://github.com/flutter/flutter/issues/new/choose

To report a problem with the AutoRoller itself, please file a bug:
https://issues.skia.org/issues/new?component=1389291&template=1850622

Documentation for the AutoRoller is here:
https://skia.googlesource.com/buildbot/+doc/main/autoroll/README.md
@reidbaker reidbaker mentioned this pull request Jan 12, 2024
Closed
@reidbaker reidbaker mentioned this pull request Jan 19, 2024
Merged
12 tasks
@reidbaker reidbaker mentioned this pull request Feb 19, 2024
Merged
16 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stuartmorgan-g stuartmorgan-g stuartmorgan-g approved these changes

@mdebbar mdebbar mdebbar approved these changes

Assignees
No one assigned
Labels
autosubmit Merge PR when tree becomes green via auto submit App p: url_launcher platform-web
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

url_launcher on Flutter Web executes JavaScript URIs by default
3 participants
@ditman @stuartmorgan-g @mdebbar