Intent to Deprecate and Remove: Dangling markup in target name

150 views
Skip to first unread message

Jun Kokatsu

unread,
Sep 6, 2023, 7:45:14 PM9/6/23
to blink-dev

Contact emails

jkok...@google.com


Specification

https://github.com/whatwg/html/pull/9309/files


Summary

This change replaces the navigable target name (which is usually set by target attribute) to `_blank`, if it contains a dangling markup (i.e. `\n` and `<`). Which fixes a bypass in the dangling markup injection mitigation.



Blink component

Blink>SecurityFeature


Motivation

Blink has shipped a mitigation for dangling markup injection attack while back. However, it was discovered that the mitigation can be bypassed through target name. Navigations with such target names are low (~0.000007%). Therefore, this change removes the limitation discovered in the previous mitigation.



Initial public proposal

None


TAG review

None


TAG review status

Not applicable


Risks



Interoperability and Compatibility

None



Gecko: Positive


WebKit: Shipped/Shipping


Web developers: No signals


Other signals:


WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?

None



Debuggability

None



Is this feature fully tested by web-platform-tests?

Yes


Flag name on chrome://flags

None


Finch feature name

None


Non-finch justification

None


Requires code in //chrome?

False


Tracking bug

https://bugs.chromium.org/p/chromium/issues/detail?id=1421440


Estimated milestones

119



Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5073969773805568


Mike Taylor

unread,
Sep 8, 2023, 10:05:03 AM9/8/23
to Jun Kokatsu, blink-dev

LGTM1 to ship. Risk seems very low (and worth it, given security improvements), but thanks for adding a runtime enabled feature.

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF4CR50EbS%3DMrYxMa5PcyiYPFg%2B4X2e6F5S0kzcxJLygew%40mail.gmail.com.

Chris Harrelson

unread,
Sep 8, 2023, 10:52:02 AM9/8/23
to Mike Taylor, Jun Kokatsu, blink-dev

Mike West

unread,
Sep 11, 2023, 3:14:46 AM9/11/23
to Chris Harrelson, Mike Taylor, Jun Kokatsu, blink-dev
Reply all
Reply to author
Forward
0 new messages