Prevent window.opener from modifying GitLab window
What does this MR do and why?
Prevent window.opener from manipulating GitLab's browser window. If GitLab is opened by third party, avoid the opener window to control GitLab. Nullifying the window.opener prevents the opener window from changing the location and other potentially harmful actions.
Third party -- opens --> GitLab window
| ^
| |
---- avoids controls ----
This is the inverse of noopener
attributes in links, where the
window.opener is set to null
when GitLab opens third party links.
GitLab window -- opens --> Third party
^ |
| |
---- avoids controls ----
Changelog: security
Closes https://gitlab.com/gitlab-org/gitlab/-/issues/417764
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
No changes
How to set up and validate locally
- Go to
https://example.com
- In that site, open the web console and type:
const child = window.open('https://gdk.test:3443/');
// wait for the window to load GDK GitLab
setTimeout(()=> child.location = 'https://example.com', 3000);
- Observe that the child window navigates from GDK GitLab to
example.com
. - Enable the
nullify_window_opener
onhttps://gdk.test:3443/rails/features/
- Repeat step #1
- Observe that the child window doesn't navigate away from GDK GitLab
Edited by Eduardo Sanz García