-
Notifications
You must be signed in to change notification settings - Fork 2.7k
Commit
With this change, whenever an auxiliary browsing context is disowned, whether through setting window.opener to null, through using the rel=noreferrer and rel=noopener keywords, or through using the window.open() noopener /features/ argument, it isolates that browsing context from its opener. It will no longer be "familiar with" it, even same-origin, and its opener browsing context is explicitly set to null. It will still get its assigned name (e.g., from the target="" attribute) and will still be script closable.
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -20977,8 +20977,8 @@ interface <dfn>HTMLHyperlinkElementUtils</dfn> { | |
|
||
<li><p>If <var>subject</var>'s <a href="#linkTypes">link types</a> include the <code | ||
data-x="rel-noreferrer">noreferrer</code> or <code data-x="rel-noopener">noopener</code> keyword, | ||
and <var>replace</var> is true, then <span data-x="disowned its opener">disown | ||
<var>target</var>'s opener</span>.</p></li> | ||
and <var>replace</var> is true, then <span data-x="disowned">disown</span> | ||
<var>target</var>.</p></li> | ||
|
||
<li><p><span data-x="resolve a url">Resolve</span> the <span>URL</span> given by | ||
<var>subject</var>'s <code data-x="attr-hyperlink-href">href</code> attribute, relative to | ||
|
@@ -21476,14 +21476,17 @@ interface <dfn>HTMLHyperlinkElementUtils</dfn> { | |
<td><code data-x="rel-noreferrer">noreferrer</code></td> | ||
<td><em>not allowed</em></td> | ||
<td><span data-x="hyperlink annotation">Annotation</span></td> | ||
<td>Requires that the user agent not send an HTTP `<code data-x="http-referer">Referer</code>` (sic) header if the user follows the hyperlink.</td> | ||
<td>Indicates that any <span>browsing context</span> created by following the hyperlink is | ||
<span>disowned</span> and that the user agent will not send an HTTP `<code | ||
data-x="http-referer">Referer</code>` (sic) header if the user follows the hyperlink.</td> | ||
</tr> | ||
|
||
<tr> | ||
<td><code data-x="rel-noopener">noopener</code></td> | ||
<td><em>not allowed</em></td> | ||
<td><span data-x="hyperlink annotation">Annotation</span></td> | ||
<td>Requires that any <span>browsing context</span> created by following the hyperlink must not have an <span>opener browsing context</span>.</td> | ||
<td>Indicates that any <span>browsing context</span> created by following the hyperlink is | ||
<span>disowned</span>.</td> | ||
</tr> | ||
|
||
<tr> | ||
|
@@ -77726,9 +77729,9 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> { | |
<p>A <span>browsing context</span> can have a <dfn>creator browsing context</dfn>, the | ||
<span>browsing context</span> that was responsible for its creation. If a <span>browsing | ||
context</span> has a <span>parent browsing context</span>, then that is its <span>creator browsing | ||
context</span>. Otherwise, if the <span>browsing context</span> has an <span>opener browsing | ||
context</span>, then <em>that</em> is its <span>creator browsing context</span>. Otherwise, the | ||
<span>browsing context</span> has no <span>creator browsing context</span>.</p> | ||
context</span>. Otherwise, if the <span>browsing context</span> has a non-null <span>opener | ||
browsing context</span>, then <em>that</em> is its <span>creator browsing context</span>. | ||
Otherwise, the <span>browsing context</span> has no <span>creator browsing context</span>.</p> | ||
|
||
<p>If a <span>browsing context</span> <var>A</var> has a <span>creator browsing | ||
context</span>, then the <code>Document</code> that was the <span>active document</span> of that | ||
|
@@ -77951,20 +77954,21 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> { | |
are always <span data-x="top-level browsing context">top-level browsing contexts</span>.</p> | ||
|
||
<p>An <span>auxiliary browsing context</span> has an <dfn>opener browsing context</dfn>, which is | ||
the <span>browsing context</span> from which the <span>auxiliary browsing context</span> was | ||
created.</p> | ||
either null or the <span>browsing context</span> from which the <span>auxiliary browsing | ||
context</span> was created.</p> | ||
|
||
<p>When an <span>auxiliary browsing context</span> is <dfn | ||
id="disowned-its-opener">disowned</dfn>, its <span>opener browsing context</span> must be set to | ||
null. | ||
|
||
|
||
<h5>Navigating auxiliary browsing contexts in the DOM</h5> | ||
|
||
<p>The <dfn><code data-x="dom-opener">opener</code></dfn> IDL attribute on the <code>Window</code> | ||
object, on getting, must return the <code>WindowProxy</code> object of the <span>browsing | ||
context</span> from which the current <span>browsing context</span> was created (its <span>opener | ||
browsing context</span>), if there is one, if it is still available, and if the current | ||
<span>browsing context</span> has not <i data-x="disowned its opener">disowned its opener</i>; | ||
otherwise, it must return null. On setting, if the new value is null then the current | ||
<span>browsing context</span> must <dfn data-x="disowned its opener">disown its opener</dfn>; if | ||
the new value is anything else then the user agent must | ||
object, on getting, must return the <code>WindowProxy</code> object of the current <span>browsing | ||
context</span>'s <span>opener browsing context</span>, if there is one; otherwise, it must return | ||
null. On setting, if the new value is null then the current <span>browsing context</span> must be | ||
<span>disowned</span>; if the new value is anything else then the user agent must | ||
|
||
<!-- dark magic incantation begins --> | ||
call the [[DefineOwnProperty]] internal method of the <code>Window</code> object, passing the | ||
|
@@ -78000,13 +78004,14 @@ dictionary <dfn>DragEventInit</dfn> : <span>MouseEventInit</span> { | |
|
||
<li>Either the <span>origin</span> of the <span>active document</span> of <var>A</var> | ||
is the <span data-x="same origin">same</span> as the <span>origin</span> of the <span>active | ||
document</span> of <var>B</var>, or</li> | ||
document</span> of <var>B</var> and neither <var>A</var> nor <var>B</var> are | ||
This comment has been minimized.
Sorry, something went wrong. |
||
<span>disowned</span>, or</li> | ||
|
||
<li>The browsing context <var>A</var> is a <span>nested browsing context</span> with a | ||
<span>top-level browsing context</span>, and its <span>top-level browsing context</span> is <var>B</var>, or</li> | ||
|
||
<li>The browsing context <var>B</var> is an <span>auxiliary browsing context</span> and | ||
<var>A</var> is <span>familiar with</span> <var>B</var>'s <span>opener | ||
<li>The browsing context <var>B</var> is an <span>auxiliary browsing context</span> that is not | ||
This comment has been minimized.
Sorry, something went wrong.
bzbarsky
Contributor
|
||
<span>disowned</span> and <var>A</var> is <span>familiar with</span> <var>B</var>'s <span>opener | ||
browsing context</span>, or</li> | ||
|
||
<li>The browsing context <var>B</var> is not a <span>top-level browsing context</span>, | ||
This comment has been minimized.
Sorry, something went wrong.
bzbarsky
Contributor
|
||
|
@@ -78870,9 +78875,8 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span | |
<ol> | ||
|
||
<li><p>If the result of <span data-x="split a string on commas">splitting <var>features</var> | ||
on commas</span> contains the token "<code data-x="">noopener</code>", <span data-x="disowned | ||
its opener">disown <var>target browsing context</var>'s opener</span>, and return <code | ||
data-x="">null</code>.</p></li> | ||
on commas</span> contains the token "<code data-x="">noopener</code>", <span | ||
data-x="disowned">disown</span> <var>target browsing context</var>, and return null.</p></li> | ||
|
||
<li><p>Otherwise, return the <code>WindowProxy</code> object of <var>target browsing | ||
context</var>.</p></li> | ||
|
We need to say that A is familiar with B if A and B are the same browsing context. This used to come for free with the origin check, but doesn't anymore.