Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Action.OpenUrl with a top-level browsing context #8588

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Commits on Jun 28, 2023

  1. Action.OpenUrl with a top-level browsing context

    While HTML links [launch without an opener reference][spec],
    [`window.open`][vulnerability] provides a reference to the parent page
    through an auxiliary browsing context. Given untrusted URL input, this
    can lead to tabnabbing and phishing attacks.
    
    This change uses the [noopener] and [noreferrer] [window features] for
    the default link handler in the React renderer.
    
    [spec]: whatwg/html#4078
    [vulnerability]: https://mathiasbynens.github.io/rel-noopener/
    [window features]: https://developer.mozilla.org/en-US/docs/Web/API/Window/open#windowfeatures
    [noopener]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noopener
    [noreferrer]: https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel/noreferrer
    sch committed Jun 28, 2023
    Configuration menu
    Copy the full SHA
    6de67c8 View commit details
    Browse the repository at this point in the history