Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Navigation "exceptions-enabled" flag obsolete? #4640

Closed
gterzian opened this issue May 19, 2019 · 5 comments
Closed

Navigation "exceptions-enabled" flag obsolete? #4640

gterzian opened this issue May 19, 2019 · 5 comments

Comments

@gterzian
Copy link
Member

gterzian commented May 19, 2019

Navigation currently comes with a exceptions-enabled flag, which is set in navigations originating in window.open or location only, and only used as part of checking allowed-to-navigate and re-throwing the exception in the above two cases.

Note that location also throws an exception when its various attributes are accessed is a non same-origin scenario(which seems stricter, or at least equal to, the check performed inallowed-to-navigate).

In the test suite, I could only find tests for insecure access to open attribute access of a window at https://github.com/servo/servo/blob/master/tests/wpt/web-platform-tests/html/browsers/the-window-object/security-window/window-security.https.html

So I'm wondering, is there a case where an access to either window.open or an attribute of window.location would be "secure", yet allowed-to-navigate would be false and an exception would have to be thrown in the navigation? In other words, is the exception not in fact always thrown when the attribute is accessed, versus during actual navigation?

Would it not make more sense to have open throw a security error when accessed across origins?

Firefox and Chrome both throw security errors when accessing open, without the need to actual call the method and attempt a navigation.

Therefore, I'm wondering if the exceptions-enabled flag is not perhaps obsolete, since:

  1. Location seems to have a stricter check upon attribute access.
  2. Browsers seems to check for security on attribute access of window.open, not during navigation.
  3. I'm not sure if in practice one could get past 1 and 2, and then encounter the exception being thrown as part of the navigation steps.

Perhaps a script could indeed get past the checks on attribute access, if that script were running in a same origin iframe, and then you'd get a negative "is allowed to navigate" answer in the navigation, due to the iframe not being ancestor of it's parent, and neither being a top-level?

@annevk
Copy link
Member

annevk commented May 20, 2019

I think this very much depends on how #313 is resolved and it's hard to say before that is done.

@domenic
Copy link
Member

domenic commented Mar 4, 2022

Allowed to navigate is almost entirely about sandboxing. Maybe it was about something else at the time this issue was raised?

You can have pages which same-origin and sandbox using allow-same-origin, while not allowed to navigate each other (because they don't have allow-top-navigation or similar). So this flag is not obsolete; it's necessary for such cases.

@domenic domenic closed this as completed Mar 4, 2022
@annevk
Copy link
Member

annevk commented Mar 6, 2022

It's not entirely about sandboxing. It's about whether you get to navigate a browsing context you can get a handle to, e.g., with named targeting.

@domenic
Copy link
Member

domenic commented Mar 6, 2022

Hmm, how so? Every step of "allowed to navigate" that returns false does so because of a sandbox flag. (Apologies if I'm missing something obvious or my eyes are just skipping over some crucial clause...)

@annevk
Copy link
Member

annevk commented Mar 11, 2022

Good point. I was thinking about "familiar with". And although that's not currently involved specification-wise, I vaguely recall it is in practice. Anyway, #313 will hopefully one day sort that out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

3 participants