To mitigate "tab-napping" attacks, in which a new tab/window opened by a victim context may navigate that opener context, the HTML standard changed to specify that anchors that target _blank should behave as if |rel="noopener"| is set. A page wishing to opt out of this behavior may set |rel="opener"|.
(As an aside, this change also means that links that specify a scroll-to-text-fragment are more likely to work when shared in web forums, because the scroll-to-text-fragment behavior is only allowed for cross-origin popups when the target is opened noopener).
This change improves security by discarding opener information unless it is explicitly granted.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/fa05b5eb-3df9-4530-a278-0c3ad640bd85n%40chromium.org.
This seems like a typical change that might hurt enterprise sites because they do strange things. Eric, can you please check https://www.chromium.org/developers/enterprise-changes and see what you think?
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CACj%3DBEiGyEOqsk-2PCsXgN8jmZ5yeSCrdNKoVE%3DQLfUzH0dPtA%40mail.gmail.com.
The unique problem for enterprise is that even trivial changes can take months (at least) to go from developer to installation so a time limited policy to revert to the deprecated behaviour sounds like a good plan. I'd support that.
During the API Owner meeting yesterday, we also considered making it possible to turn off remotely but considering that the change is already live in Gecko, I do think a policy is enough protection against breaking things.
LGTM3 with an enterprise policy added.
/Daniel
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/5e1c2c34-ff2a-442f-b46b-42c24fee195fn%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/7fc22942-dee5-4ae4-89fc-8c7c36b2878cn%40chromium.org.