"disown-opener" 内容安全策略指令有什么作用?
What does the "disown-opener" Content Security Policy directive do?
CSPv3 指定了新的 disown-opener 策略:
The disown-opener directive ensures that a resource will disown its opener when navigated to.
链接的 WHATWG 规范也不是很有用:
The opener IDL attribute on the Window object, on getting, must return the WindowProxy object of the browsing context from which the current browsing context was created (its opener browsing context), if there is one, if it is still available, and if the current browsing context has not disowned its opener; otherwise, it must return null. On setting, if the new value is null then the current browsing context must disown its opener; if the new value is anything else then the user agent must call the [[DefineOwnProperty]] internal method of the Window object, passing the property name "opener" as the property key, and the Property Descriptor { [[Value]]: value, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true } as the property descriptor, where value is the new value.
它会导致 window.opener 在任何新的 windows 或从包含 disown-opener指令。
用例类似于 rel=noopener。
class 两者都旨在防止的攻击是由于以下事实引起的:当您的文档 A 中有指向文档 B 的链接(可能位于另一个来源)时,文档 B 中的任何脚本都可以通过window.opener 的值访问和控制文档 A 中的 window object。
因此文档 B 的脚本可以将 window 文档 A 所在的 window.opener.location 更改为文档 C 的 URL,以便 window 导航离开文档A 到 URL.
如果文档 C 的设计看起来与文档 A 完全一样——例如,包括一个欺骗性的登录表单——它可能被用来欺骗用户和钓鱼用户凭据。
Mathias Bynens 在 About rel=noopener: What problems does it solve? 中对此进行了详细介绍。
在正在导航的文档上将 window.opener 设置为 null 以防止出现问题。
如果没有 disown-opener 它解决的用例,文档 A 首先需要打开一个新的 tab/window 到它控制的 document/location,然后使用脚本设置 window.opener 到 null,然后将 tab/window 中文档中的脚本导航到文档 B.
更新 1: 我已 raised a PR against the HTML spec 为此规范添加信息性注释。
更新二: patch from the PR above was merged into the HTML spec, so it now says this:
If a browsing context is disowned, its window.opener attribute is null. That prevents scripts in the browsing context from changing any properties of its opener browsing context's Window object (i.e., the Window object from which the browsing context was created).
Otherwise, if a browsing context is not disowned, then scripts in that browsing context can use window.opener to change properties of its opener browsing context's Window object. For example, a script running in the browsing context can change the value of window.opener.location, causing the opener browsing context to navigate to a completely different document.
CSPv3 指定了新的 disown-opener 策略:
The disown-opener directive ensures that a resource will disown its opener when navigated to.
链接的 WHATWG 规范也不是很有用:
The opener IDL attribute on the Window object, on getting, must return the WindowProxy object of the browsing context from which the current browsing context was created (its opener browsing context), if there is one, if it is still available, and if the current browsing context has not disowned its opener; otherwise, it must return null. On setting, if the new value is null then the current browsing context must disown its opener; if the new value is anything else then the user agent must call the [[DefineOwnProperty]] internal method of the Window object, passing the property name "opener" as the property key, and the Property Descriptor { [[Value]]: value, [[Writable]]: true, [[Enumerable]]: true, [[Configurable]]: true } as the property descriptor, where value is the new value.
它会导致 window.opener 在任何新的 windows 或从包含 disown-opener指令。
用例类似于 rel=noopener。
class 两者都旨在防止的攻击是由于以下事实引起的:当您的文档 A 中有指向文档 B 的链接(可能位于另一个来源)时,文档 B 中的任何脚本都可以通过window.opener 的值访问和控制文档 A 中的 window object。
因此文档 B 的脚本可以将 window 文档 A 所在的 window.opener.location 更改为文档 C 的 URL,以便 window 导航离开文档A 到 URL.
如果文档 C 的设计看起来与文档 A 完全一样——例如,包括一个欺骗性的登录表单——它可能被用来欺骗用户和钓鱼用户凭据。
Mathias Bynens 在 About rel=noopener: What problems does it solve? 中对此进行了详细介绍。
在正在导航的文档上将 window.opener 设置为 null 以防止出现问题。
如果没有 disown-opener 它解决的用例,文档 A 首先需要打开一个新的 tab/window 到它控制的 document/location,然后使用脚本设置 window.opener 到 null,然后将 tab/window 中文档中的脚本导航到文档 B.
更新 1: 我已 raised a PR against the HTML spec 为此规范添加信息性注释。
更新二: patch from the PR above was merged into the HTML spec, so it now says this:
If a browsing context is disowned, its
window.openerattribute is null. That prevents scripts in the browsing context from changing any properties of its opener browsing context'sWindowobject (i.e., theWindowobject from which the browsing context was created).Otherwise, if a browsing context is not disowned, then scripts in that browsing context can use
window.openerto change properties of its opener browsing context'sWindowobject. For example, a script running in the browsing context can change the value ofwindow.opener.location, causing the opener browsing context to navigate to a completely different document.