Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"popup-navigate" / "popup-document" #17

Closed
annevk opened this issue Mar 9, 2019 · 5 comments
Closed

"popup-navigate" / "popup-document" #17

annevk opened this issue Mar 9, 2019 · 5 comments

Comments

@annevk
Copy link
Member

annevk commented Mar 9, 2019

It seems useful to tell a resource it's being loaded in an auxiliary browsing context as this means it can be controlled to some extent. (I'm not entirely sure whether to enshrine popup or "auxiliary".)
@annevk annevk mentioned this issue Mar 9, 2019
Open
@arturjanc
Copy link
Contributor

@koto and I chatted about this yesterday and I think it's an interesting idea, but we were having some trouble figuring out how a server would translate this value into security decisions.

I imagine we'd primarily want to to tell victim.com whenever it's being opened by evil.com in a new window/tab; but an attacker could set it up so that she would have a reference to the window without making any "popup navigations" to victim.com, for example:

  • evil.com opens a popup to evil2.com and then navigates its own window (opener) to victim.com.
  • evil.com opens a popup to evil2.com which then navigates itself (openee) to victim.com.

In both cases an attacker would still have a reference to the victim window and could interact with it. We could have a flag saying "I'm being navigated in a window to which some other window has a reference", but I expect there would be legitimate cases where this is true which are out of control of the application, so the application couldn't reject such interactions.

Overall, there's merit to providing servers with such information, but there are also limits to what we can guarantee at request time -- my guess is that in practice we might have better luck with something like COOP for the problem of direct cross-window interactions.

@annevk
Copy link
Member Author

annevk commented Mar 11, 2019

That's a very good point.

If we were to offer something it'd have to be more like:

  • Loaded in an existing browsing context group (someone might have a reference to you)
  • Loaded in a nested browsing context group
  • Loaded in a fresh browsing context group

In all of these your name might still be polluted however and you might also be sandboxed.

@mikewest mikewest mentioned this issue Mar 12, 2019
Closed
@mikewest
Copy link
Member

My intuition is that servers would either expect to be popped-up, and would therefore ignore the poppedupness of any navgation request, or wouldn't expect to be popped-up, and would therefore deliver some sort of COOP header unconditionally.

In either case, I'm not sure that delivering the additional "You've been popped up!" bit would change the server's decision. Are there other scenarios in which the server would do something differently when loading in an auxiliary browsing context?

@annevk
Copy link
Member Author

annevk commented Mar 12, 2019

Assuming COOP works out there's probably nothing to do here.

@mikewest
Copy link
Member

Closing this out, as I don't think this is a good fit given the other tools we have available. COOP seems like the right way to address the threat.

@mjz3 mjz3 mentioned this issue Mar 22, 2022
Open
@yoavweiss yoavweiss mentioned this issue Jun 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mikewest @arturjanc @annevk