LGTM1 to ship. Risk seems very low (and worth it, given security
improvements), but thanks for adding a runtime enabled feature.
On 9/7/23 12:44 AM, 'Jun Kokatsu' via blink-dev wrote:
Contact emails
jkoka...@google.com
Specification
https://github.com/whatwg/html/pull/9309/files
<https://github.com/whatwg/html/pull/9309/files>
Summary
This change replaces the navigable target name (which is usually set
by target attribute) to `_blank`, if it contains a dangling markup
(i.e. `\n` and `<`). Which fixes a bypass in the dangling markup
injection mitigation.
Blink component
Blink>SecurityFeature
<https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature>
Motivation
Blink has shipped a mitigation for dangling markup injection
<https://chromestatus.com/feature/5735596811091968>attack while back.
However, it was discovered that the mitigation can be bypassed
<https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup>through
target name. Navigations with such target names are low
<https://chromestatus.com/metrics/feature/timeline/popularity/4493>(~0.000007%).
Therefore, this change removes the limitation discovered in the
previous mitigation.
Initial public proposal
None
TAG review
None
TAG review status
Not applicable
Risks
Interoperability and Compatibility
None
Gecko: Positive
<https://github.com/mozilla/standards-positions/issues/804>
WebKit: Shipped/Shipping <https://github.com/WebKit/WebKit/pull/16885>
Web developers: No signals
Other signals:
WebView application risks
Does this intent deprecate or change behavior of existing APIs, such
that it has potentially high risk for Android WebView-based applications?
None
Debuggability
None
Is this feature fully tested by web-platform-tests
<https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md>?
Yes <https://github.com/web-platform-tests/wpt/pull/40232>
Flag name on chrome://flags
None
Finch feature name
None
Non-finch justification
None
Requires code in //chrome?
False
Tracking bug
https://bugs.chromium.org/p/chromium/issues/detail?id=1421440
<https://bugs.chromium.org/p/chromium/issues/detail?id=1421440>
Estimated milestones
119
Link to entry on the Chrome Platform Status
https://chromestatus.com/feature/5073969773805568
<https://chromestatus.com/feature/5073969773805568>
--
You received this message because you are subscribed to the Google
Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF4CR50EbS%3DMrYxMa5PcyiYPFg%2B4X2e6F5S0kzcxJLygew%40mail.gmail.com
<https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF4CR50EbS%3DMrYxMa5PcyiYPFg%2B4X2e6F5S0kzcxJLygew%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to blink-dev+unsubscr...@chromium.org.
To view this discussion on the web visit
https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e68e959c-0a28-45b0-90f1-d35aa2e0c17b%40chromium.org.
