Intent to prototype and ship: Ignore target names which contain both \n and

unread,

May 27, 2024, 9:00:12 AMMay 27

to dev-pl...@mozilla.org

This change is supposed to mitigate dangling markup injections using
the target (and formtarget) attribute:
https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup

This is mostly useful together with another mitigation for parsing
URLs, that isn't part of the specification yet:
https://github.com/whatwg/html/pull/10022

I judge the possibility of real web content being impacted by this
change to be near zero.

Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1835157
Standard: https://github.com/whatwg/html/pull/9309
Platform coverage: All
Preference: none
DevTools bug: n/a
Link to standards-position discussion: None
Other browsers:
* Blink: shipping https://issues.chromium.org/issues/40259279
* WebKit: shipping bugs.webkit.org/show_bug.cgi?id=257349

web-platform-tests:
https://wpt.fyi/results/html/browsers/windows/dangling-markup-window-name.html

unread,

May 27, 2024, 9:21:47 AMMay 27

to dev-pl...@mozilla.org, Tom Schuster

Tom, do you think we should have a DevTools bug to display a warning message to the console when a target attribute is ignored?

unread,

May 27, 2024, 10:11:09 AMMay 27

to Nicolas Chevobbe, dev-pl...@mozilla.org

Could be a good-first-bug for someone.

unread,

May 28, 2024, 5:39:59 AMMay 28

to dev-pl...@mozilla.org, Tom Schuster, dev-pl...@mozilla.org, Nicolas Chevobbe

Reply all

Reply to author

Forward

Intent to prototype and ship: Ignore target names which contain both \n and < characters