Contact emails jkoka...@google.com
Specification https://github.com/whatwg/html/pull/9309/files Summary This change replaces the navigable target name (which is usually set by target attribute) to `_blank`, if it contains a dangling markup (i.e. `\n` and `<`). Which fixes a bypass in the dangling markup injection mitigation. Blink component Blink>SecurityFeature <https://bugs.chromium.org/p/chromium/issues/list?q=component:Blink%3ESecurityFeature> Motivation Blink has shipped a mitigation for dangling markup injection <https://chromestatus.com/feature/5735596811091968> attack while back. However, it was discovered that the mitigation can be bypassed <https://portswigger.net/research/evading-csp-with-dom-based-dangling-markup> through target name. Navigations with such target names are low <https://chromestatus.com/metrics/feature/timeline/popularity/4493> (~0.000007%). Therefore, this change removes the limitation discovered in the previous mitigation. Initial public proposal None TAG review None TAG review status Not applicable Risks Interoperability and Compatibility None Gecko: Positive <https://github.com/mozilla/standards-positions/issues/804> WebKit: Shipped/Shipping <https://github.com/WebKit/WebKit/pull/16885> Web developers: No signals Other signals: WebView application risks Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications? None Debuggability None Is this feature fully tested by web-platform-tests <https://chromium.googlesource.com/chromium/src/+/main/docs/testing/web_platform_tests.md> ? Yes <https://github.com/web-platform-tests/wpt/pull/40232> Flag name on chrome://flags None Finch feature name None Non-finch justification None Requires code in //chrome? False Tracking bug https://bugs.chromium.org/p/chromium/issues/detail?id=1421440 Estimated milestones 119 Link to entry on the Chrome Platform Status https://chromestatus.com/feature/5073969773805568 -- You received this message because you are subscribed to the Google Groups "blink-dev" group. To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscr...@chromium.org. To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAOWKMF4CR50EbS%3DMrYxMa5PcyiYPFg%2B4X2e6F5S0kzcxJLygew%40mail.gmail.com.