From c0fbcc264fdf8e0624bae306c68015e04be38eb6 Mon Sep 17 00:00:00 2001
From: Andrew Williams <awillia@chromium.org>
Date: Sun, 17 Nov 2024 23:10:39 -0500
Subject: [PATCH] Enforce noopener on cross-top-level-site blob URLs

Cause noopener to be set for window.open(), clicks on <a> / <area> elements, and form submissions where the corresponding blob URL is cross-site to the top-level site of the context performing the action. This corresponds to the discussion in https://github.com/w3c/FileAPI/issues/153.
---
 source | 113 ++++++++++++++++++++++++++++++++++++++-------------------
 1 file changed, 76 insertions(+), 37 deletions(-)

diff --git a/source b/source
index 667b17a3a94..0d819eccb96 100644
--- a/source
+++ b/source
@@ -25553,7 +25553,8 @@ document.body.appendChild(wbr);</code></pre>
   web content.</p>
 
   <p>To <dfn>get an element's noopener</dfn>, given an <code>a</code>, <code>area</code>, or
-  <code>form</code> element <var>element</var> and a string <var>target</var>:</p>
+  <code>form</code> element <var>element</var>, a <span>URL record</span> <var>url</var>, and a
+  string <var>target</var>, perform the following steps. They return a boolean.</p>
 
   <ol>
    <li><p>If <var>element</var>'s <a href="#linkTypes">link types</a> include the <code
@@ -25565,6 +25566,24 @@ document.body.appendChild(wbr);</code></pre>
    <span>ASCII case-insensitive</span> match for "<code data-x="">_blank</code>", then return
    true.</p></li>
 
+   <li>
+    <p>If <var>url</var>'s <span data-x="concept-url-scheme">scheme</span> is "<code
+    data-x="">blob</code>":</p>
+
+    <ol>
+     <li><p>Let <var>blobOrigin</var> be <var>url</var>'s <span
+     data-x="concept-url-blob-entry">blob URL entry</span>'s <span
+     data-x="blob-url-entry-environment">environment</span>'s <span
+     data-x="concept-settings-object-origin">origin</span>.</p></li>
+
+     <li><p>Let <var>topLevelOrigin</var> be <var>element</var>'s <span>relevant settings
+     object</span>'s <span>top-level origin</span>.</p></li>
+
+     <li><p>If <var>blobOrigin</var> is not <span>same site</span> with <var>topLevelOrigin</var>,
+     then return true.</p></li>
+    </ol>
+   </li>
+
    <li><p>Return false.</p></li>
   </ol>
 
@@ -25585,8 +25604,14 @@ document.body.appendChild(wbr);</code></pre>
    <var>targetAttributeValue</var> to the result of <span data-x="get an element's target">getting
    an element's target</span> given <var>subject</var>.</p></li>
 
+   <li><p>Let <var>urlRecord</var> be the result of <span>encoding-parsing a URL</span> given
+   <var>subject</var>'s <code data-x="attr-hyperlink-href">href</code> attribute value, relative to
+   <var>subject</var>'s <span>node document</span>.</p></li>
+
+   <li><p>If <var>urlRecord</var> is failure, then return.</p></li>
+
    <li><p>Let <var>noopener</var> be the result of <span data-x="get an element's noopener">getting
-   an element's noopener</span> with <var>subject</var> and
+   an element's noopener</span> with <var>subject</var>, <var>urlRecord</var>, and
    <var>targetAttributeValue</var>.</p></li>
 
    <li><p>Let <var>targetNavigable</var> be the first return value of applying <span>the rules for
@@ -25595,11 +25620,8 @@ document.body.appendChild(wbr);</code></pre>
 
    <li><p>If <var>targetNavigable</var> is null, then return.</p></li>
 
-   <li><p>Let <var>urlString</var> be the result of <span>encoding-parsing-and-serializing a
-   URL</span> given <var>subject</var>'s <code data-x="attr-hyperlink-href">href</code> attribute
-   value, relative to <var>subject</var>'s <span>node document</span>.</p></li>
-
-   <li><p>If <var>urlString</var> is failure, then return.</p></li>
+   <li><p>Let <var>urlString</var> be the result of applying the <span
+   data-x="concept-url-serializer">URL serializer</span> to <var>urlRecord</var>.</p></li>
 
    <li><p>If <var>hyperlinkSuffix</var> is non-null, then append it to
    <var>urlString</var>.</p></li>
@@ -60016,7 +60038,8 @@ fur
    <var>formTarget</var>.</p></li>
 
    <li><p>Let <var>noopener</var> be the result of <span data-x="get an element's noopener">getting
-   an element's noopener</span> with <var>form</var> and <var>target</var>.</p></li>
+   an element's noopener</span> with <var>form</var>, <var>parsed action</var>, and
+   <var>target</var>.</p></li>
 
    <li><p>Let <var>targetNavigable</var> be the first return value of applying <span>the rules for
    choosing a navigable</span> given <var>target</var>, <var>form</var>'s <span>node
@@ -89830,12 +89853,45 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
 
   <div w-nodev>
 
+  <p>To <dfn>get noopener for window open</dfn>, given a <code>Document</code>
+  <var>sourceDocument</var>, an <span>ordered map</span> <var>tokenizedFeatures</var>, and a
+  <span>URL record</span> <var>url</var>, perform the following steps. They return a boolean.</p>
+
+  <ol>
+   <li>
+    <p>If <var>url</var>'s <span data-x="concept-url-scheme">scheme</span> is "<code
+    data-x="">blob</code>":</p>
+
+    <ol>
+     <li><p>Let <var>blobOrigin</var> be <var>url</var>'s <span
+     data-x="concept-url-blob-entry">blob URL entry</span>'s <span
+     data-x="blob-url-entry-environment">environment</span>'s <span
+     data-x="concept-settings-object-origin">origin</span>.</p></li>
+
+     <li><p>Let <var>topLevelOrigin</var> be <var>sourceDocument</var>'s <span>relevant settings
+     object</span>'s <span>top-level origin</span>.</p></li>
+
+     <li><p>If <var>blobOrigin</var>is not <span>same site</span> with <var>topLevelOrigin</var>,
+     then return true.</p></li>
+    </ol>
+   </li>
+
+   <li><p>Let <var>noopener</var> be false.</p></li>
+
+   <li><p>If <var>tokenizedFeatures</var>["<code data-x="">noopener</code>"] <span data-x="map
+   exists">exists</span>, then set <var>noopener</var> to the result of <span
+   data-x="concept-window-open-features-parse-boolean">parsing <var>tokenizedFeatures</var>["<code
+   data-x="">noopener</code>"] as a boolean feature</span>.</p></li>
+
+   <li><p>Return <var>noopener</var>.</p></li>
+  </ol>
+
   <p>The <dfn>window open steps</dfn>, given a string <var>url</var>, a string <var>target</var>,
   and a string <var>features</var>, are as follows:</p>
 
   <ol>
    <li><p>If the <span>event loop</span>'s <span>termination nesting level</span> is nonzero,
-   return null.</p></li>
+   then return null.</p></li>
 
    <li><p>Let <var>sourceDocument</var> be the <span>entry global object</span>'s <span
    data-x="concept-document-window">associated <code>Document</code></span>.</p></li>
@@ -89860,37 +89916,20 @@ dictionary <dfn dictionary>WindowPostMessageOptions</dfn> : <span>StructuredSeri
    <li><p>Let <var>tokenizedFeatures</var> be the result of <span
    data-x="concept-window-open-features-tokenize">tokenizing</span> <var>features</var>.</p></li>
 
-   <li><p>Let <var>noopener</var> and <var>noreferrer</var> be false.</p></li>
+   <li><p>Let <var>noreferrer</var> be false.</p></li>
 
-   <li>
-    <p>If <var>tokenizedFeatures</var>["<code data-x="">noopener</code>"] <span data-x="map
-    exists">exists</span>, then:</p>
-
-    <ol>
-     <li><p>Set <var>noopener</var> to the result of <span
-     data-x="concept-window-open-features-parse-boolean">parsing
-     <var>tokenizedFeatures</var>["<code data-x="">noopener</code>"] as a boolean
-     feature</span>.</p></li>
-
-     <li><p><span data-x="map remove">Remove</span> <var>tokenizedFeatures</var>["<code
-     data-x="">noopener</code>"].</p></li>
-    </ol>
-   </li>
+   <li><p>If <var>tokenizedFeatures</var>["<code data-x="">noreferrer</code>"] <span data-x="map
+   exists">exists</span>, then set <var>noreferrer</var> to the result of <span
+   data-x="concept-window-open-features-parse-boolean">parsing <var>tokenizedFeatures</var>["<code
+   data-x="">noreferrer</code>"] as a boolean feature</span>.</p></li>
 
-   <li>
-    <p>If <var>tokenizedFeatures</var>["<code data-x="">noreferrer</code>"] <span data-x="map
-    exists">exists</span>, then:</p>
-
-    <ol>
-     <li><p>Set <var>noreferrer</var> to the result of <span
-     data-x="concept-window-open-features-parse-boolean">parsing
-     <var>tokenizedFeatures</var>["<code data-x="">noreferrer</code>"] as a boolean
-     feature</span>.</p></li>
+   <li><p>Let <var>noopener</var> be the result of <span
+   data-x="get noopener for window open">getting noopener for window open</span> with
+   <var>sourceDocument</var>, <var>tokenizedFeatures</var>, and <var>urlRecord</var>.</p></li>
 
-     <li><p><span data-x="map remove">Remove</span> <var>tokenizedFeatures</var>["<code
-     data-x="">noreferrer</code>"].</p></li>
-    </ol>
-   </li>
+   <li><p><span data-x="map remove">Remove</span> <var>tokenizedFeatures</var>["<code
+   data-x="">noopener</code>"] and <var>tokenizedFeatures</var>["<code
+   data-x="">noreferrer</code>"].</p></li>
 
    <li><p>Let <var>referrerPolicy</var> be the empty string.</p></li>