Groups
Sign in
Groups
dev-platform@mozilla.org
Conversations
About
Send feedback
Help
Intent to prototype and ship: Ignore target names which contain both \n and < characters
274 views
Skip to first unread message
Tom Schuster
unread,
May 27, 2024, 9:00:12 AM
May 27
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dev-pl...@mozilla.org
This change is supposed to mitigate dangling markup injections using
the target (and formtarget) attribute:
https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup
This is mostly useful together with another mitigation for parsing
URLs, that isn't part of the specification yet:
https://github.com/whatwg/html/pull/10022
I judge the possibility of real web content being impacted by this
change to be near zero.
Bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1835157
Standard:
https://github.com/whatwg/html/pull/9309
Platform coverage: All
Preference: none
DevTools bug: n/a
Link to standards-position discussion: None
Other browsers:
* Blink: shipping
https://issues.chromium.org/issues/40259279
* WebKit: shipping
bugs.webkit.org/show_bug.cgi?id=257349
web-platform-tests:
https://wpt.fyi/results/html/browsers/windows/dangling-markup-window-name.html
Nicolas Chevobbe
unread,
May 27, 2024, 9:21:47 AM
May 27
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dev-pl...@mozilla.org, Tom Schuster
Tom, do you think we should have a DevTools bug to display a warning message to the console when a target attribute is ignored?
Tom Schuster
unread,
May 27, 2024, 10:11:09 AM
May 27
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Nicolas Chevobbe, dev-pl...@mozilla.org
Could be a good-first-bug for someone.
Nicolas Chevobbe
unread,
May 28, 2024, 5:39:59 AM
May 28
Reply to author
Sign in to reply to author
Forward
Sign in to forward
Delete
You do not have permission to delete messages in this group
Copy link
Report message
Show original message
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to dev-pl...@mozilla.org, Tom Schuster, dev-pl...@mozilla.org, Nicolas Chevobbe
Alright, I filed
https://bugzilla.mozilla.org/show_bug.cgi?id=1899251
for this
Reply all
Reply to author
Forward
0 new messages