https://github.com/whatwg/html/pull/9309/files
This change replaces the navigable target name (which is usually set by target attribute) to `_blank`, if it contains a dangling markup (i.e. `\n` and `<`). Which fixes a bypass in the dangling markup injection mitigation.
Blink has shipped a mitigation for dangling markup injection attack while back. However, it was discovered that the mitigation can be bypassed through target name. Navigations with such target names are low (~0.000007%). Therefore, this change removes the limitation discovered in the previous mitigation.
None
None
Not applicable
None
Gecko: Positive
WebKit: Shipped/Shipping
Web developers: No signals
Other signals:
Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?
None
None
None
None
None
False
https://bugs.chromium.org/p/chromium/issues/detail?id=1421440
119
LGTM1 to ship. Risk seems very low (and worth it, given security
improvements), but thanks for adding a runtime enabled feature.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF4CR50EbS%3DMrYxMa5PcyiYPFg%2B4X2e6F5S0kzcxJLygew%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/e68e959c-0a28-45b0-90f1-d35aa2e0c17b%40chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOMQ%2Bw8iH9LMurSC%2BNnmSeJoBVHQ-tOnHYszZ5BnYjiNw0GW-g%40mail.gmail.com.