Status icon indicating copy to clipboard operation
Status copied to clipboard
verified publisher icon MicrosoftEdge

Track rel=noopener support

Open martinsuchan opened this issue 9 years ago • 9 comments

This feature is already implemented in Chrome/Opera.

See: https://html.spec.whatwg.org/multipage/semantics.html#link-type-noopener https://mathiasbynens.github.io/rel-noopener/ http://caniuse.com/#feat=rel-noopener https://wpdev.uservoice.com/forums/257854-microsoft-edge-developer/suggestions/12942405-implement-rel-noopener

martinsuchan avatar Sep 01 '16 18:09 martinsuchan

Anyone has any idea if this will be considered? It would be so great if you could implement it.

Maybe @xiaoyinl @alrra, you guys could answer or ask somebody else in the team?

wojstu avatar Aug 22 '18 08:08 wojstu

Edge doesn't support window.opener on links targeting _blank, so there's not as much need for rel="noopener" support as with other browsers where the opener can be leaked to an external source.

coreyward avatar Sep 11 '18 01:09 coreyward

@coreyward Yes, Edge does not support rel=noopener on links, yet. Goal of this ticket is to track it and eventually implement support for this attribute in Edge.
Example how links targeting _blank without rel=noopener can be dangerous is available below. Basically the target site can modify the origin site through the window.opener object, this could lead to all kinds of problems. https://mathiasbynens.github.io/rel-noopener/

martinsuchan avatar Sep 11 '18 07:09 martinsuchan

@martinsuchan I just realized I had a typo. I've edited my comment. For clarity: Edge doesn't support window.opener, so the behavior is already the same as Chrome/Safari/Firefox when you use noopener. In other words, the security implications are already addressed and additional changes are not necessary.

coreyward avatar Sep 11 '18 15:09 coreyward

@coreyward Edge doesn't support window.opener - yes, it does: image

martinsuchan avatar Sep 11 '18 17:09 martinsuchan

Perhaps you should add a test case to this issue demonstrating window.opener being available to an external webpage (different host, or in IE parlance, a different security zone) when using target="_blank".

coreyward avatar Sep 11 '18 18:09 coreyward

I used this page to test and it appears to work in both IE 11 and Edge. https://davidebove.com/blog/2016/05/05/target_blank-the-vulnerability-in-your-browser/

According to can I use it says not supported, but they do appear to be supported. https://caniuse.com/#feat=rel-noopener

So I'm not sure what is acceptable.

earbullet avatar Sep 17 '18 13:09 earbullet

The reason the link works in IE11 and Edge is because it contains both noopener and noreferrer. Only noopener doesent work in IE and Edge. A great way to test both links is to go to https://mathiasbynens.github.io/rel-noopener/.

Pedrofff avatar Oct 12 '18 13:10 Pedrofff

Hi there, just some updates regarding this topic.

Firefox shipped this since version 52 https://bugzilla.mozilla.org/show_bug.cgi?id=1222516

Safari shipped this since TP 17 https://bugs.webkit.org/show_bug.cgi?id=155166 https://webkit.org/blog/7071/release-notes-for-safari-technology-preview-17/

Chrome shipped this since version 49 https://bugs.chromium.org/p/chromium/issues/detail?id=168988

furthermore Make target=_blank imply noopener; support opener has been merged into WHATWG https://github.com/whatwg/html/pull/4330

Firefox shipped it since version 79 https://bugzilla.mozilla.org/show_bug.cgi?id=1522083

Safari shipped it since in TP 68 https://bugs.webkit.org/show_bug.cgi?id=190481 https://webkit.org/blog/8475/release-notes-for-safari-technology-preview-68/

Chromium is actively working on it and may ship it soon it seems. https://bugs.chromium.org/p/chromium/issues/detail?id=898942

I think this issue becomes more serious. As it is reported by vulnerability scanning tools nowadays as a reverse tabnabbing exploit. May I ask if both rel=noopener and target=_blank imply noopener will be considered ? and will it be backported to EdgeHTML Edge 18?

Cheers.

zac1st1k avatar Oct 19 '20 04:10 zac1st1k