... Why. Why would anyone (not maliciously) consider this desirable behaviour?
I doubt that many sites rely on this broken behavior. And even if they do, browsers could still block it and show some warning to the user "Hey, this tab that just opened wants to change the URL of this other tab [allow, always, nope, never]", just like they do for popup windows or sites with broken SSL certs.
Does someone with more experience in these kind of issues know why it was decided to put the responsibility of fixing this on individual websites (rel=noopener) instead of browsers (blocking the URL changing or showing a warning)?
So what you're suggesting is either some sort of asymmetric "same-origin" checks or .... something.
If you're suggesting it would be technically difficult, I'm extremely skeptical of that. The origin's relationship to the target frame should not be impossible to discern, and I'd be a little shocked if it isn't taken into account elsewhere.
> If you're suggesting it would be technically difficult, I'm extremely skeptical of that.
I think it's technically difficult to establish parent/child relationships between toplevel windows, given opener disowning and so forth.
That's not even getting into the possible compat issues, of course, from the behavior change itself.
That said, I'm also skeptical of legitimate uses for controlling the location of another top level window as well, so I'm fine with killing that option too.
Of course, I don't expect them to actually fix this, but I'm still waiting for a convincing argument that it should have been that way in the first place.
> I'm also skeptical of legitimate uses for controlling the location of another top level window as well
Happens all the time: open a popup, then navigate it to places. Not on web pages much nowadays, though it was more common in the past, but in various intranet apps? All the time.
That something is used does not mean it is legitimate. I am not disputing that it is used. I am not saying I think they'll fix it. I am questioning the validity of the decision to allow it in the first place. I have no doubt that other means would be found to achieve the same end goals if it were not available.
While I agree, in practice what this means is that either all browsers need to coordinate rollout precisely (and even then the result will be that many users just stay on insecure versions of browsers instead of updating) or you will have pages (or employers) telling users to switch to whatever browser lags in rolling this out.
We've seen this play out before. The result is that you end up with users picking whichever browser defects (which reduces the incentive for other browsers to do this) or being stuck on the equivalent of IE6.
The benefit of changes that do NOT break compat is that browsers can just roll them out without needing to worry about the above side-effects.
Any web based system where a pop up dialog is opened to allow the user to select something that is then inserted into the original page?
For those systems, though, i'd imagine most of them would have these popup windows on the same origin, right? So having browsers prevent child windows changing their parent's location if they are cross-origin seems like a sensible idea, or am i missing something else?
That being said, i don't see how the proposal of browsers blocking popup windows from redirecting the parent window (if it's cross-origin) by default is any different from, for instance, them blocking popup windows from opening unless it was a user action that triggered them, which all browsers started doing by default quite some time ago. Could you elaborate on why this wouldn't be a sensible solution?
If not, now you're suggesting some sort of asymmetric security checks that depend on something that's not just the origins. Security checks that, chances are, will be easy to evade by malicious actors. At least I haven't thought of a non-evadable one here yet.
Websites relying on such obscure misbehavior are already broken in my book. Fixing them would solve the problem better and cause fewer new problems for everyone else.
Thanks to the bright and sensible handful of people who add extra cruft to HTML after a brief exchange on a mailing list 3 years after a problem was reported, the other 99.9% of the websites will have to be modified too.
In any remaining cases, there should still be some method to white-list the current behavior, e.g. rel=allowopener.
Time to find Firefox's equivalent issue page and convince them not to follow the leader.