Steps to reproduce
This is a feature request resulting from this discussion in the WHATWG HTML issue tracker:
The problem is, that rel=noopener is not the perfect solution to mitigate the non-trivial security problem, when a window accesses and manipulates its opener window.
Proposed solution: If a window A opens a new window B, and if both windows do not share the same origin, then:
- detect, when B wants to access and/or modify A’s window object
- if it does, block the action and present the user with a modal warning in A, asking for allowance
The warning could be similar to the ones when entering fullscreen mode or when asking for location information.
This solution addresses the problem, that cross-origin access to the parent window object is inherently unsafe, but seems to be used in some OAuth workflows, which rules out plainly disallowing this practice.
Comments and activity
Chromium issue: https://bugs.chromium.org/p/chromium/issues/detail?id=670203
Firefox issue: https://bugzilla.mozilla.org/show_bug.cgi?id=1321305
- Microsoft Edge Team
Changed Assigned To to “Ibrahim O.”
Changed Assigned To to “Christian F.”
Changed Assigned To to “Sermet I.”
Changed Assigned To from “Sermet I.” to “Crispin C.”
Changed Status to “Confirmed”