[Webkit-unassigned] [Bug 56631] New: [PopupBlocker]Feature suggestion, Force a new window can only be explicitly opened by "window.open" on the EventTarget to which the event was originally dispatched if the call is triggered by an event

bugzilla-daemon at webkit.org bugzilla-daemon at webkit.org
Fri Mar 18 01:24:06 PDT 2011 

https://bugs.webkit.org/show_bug.cgi?id=56631

           Summary: [PopupBlocker]Feature suggestion,  Force a new window
                    can only be explicitly opened by "window.open" on the
                    EventTarget to which the event was originally
                    dispatched if the call is triggered by an event
           Product: WebKit
           Version: 528+ (Nightly build)
          Platform: PC
        OS/Version: Mac OS X 10.5
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
        AssignedTo: webkit-unassigned at lists.webkit.org
        ReportedBy: jnd at chromium.org
                CC: abarth at webkit.org


We have seen lots of pop-up/under bypass done by the following way. (the attachment is demo code to this popup bypass trick)

1. have a normal textNode/anchorElement which does not open any popup windows,
2. register a js function to parent/ancestor node of the textNode/anchorElement as event-listener for click or mouse/key-up/down event, the function opens a popup window,
3. when clicking/pressing key on the textNode/anchorElement, the registered function is called to open popup in event capture/bubbling phase.

Note, the function of event-listener to open popup may be registered by injected external script.

In above case, user may normally do an operate on page contents but get unexpected popup window because the popup is not directly generated by users intended operation. For example, user tries to mark a paragraph text to copy, but may get a popup window created by a function registered in ancestor node of the text to listen mousedown event.

My suggestion is to force a new window can only be explicitly opened by "window.open" on the EventTarget to which the event was originally dispatched if the call is triggered by an event. The underlying meaning is that you have to explicitly open a window in the direct node(content) you are operating, which to eliminate above popup bypass.


Please feel free to share your comments. If most of you like this feature, I will put more implementation details.

Thanks.

-- 
Configure bugmail: https://bugs.webkit.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

More information about the webkit-unassigned mailing list