🌐 AI搜索 & 代理 主页
Google Git
Sign in
chromium / chromium / src / b89b25f2810242410c3223e78a7e0c15a55040e1
commitb89b25f2810242410c3223e78a7e0c15a55040e1[log] [tgz]
authorArthur Sonzogni <arthursonzogni@chromium.org>Tue Feb 13 16:11:22 2024
committerChromium LUCI CQ <chromium-scoped@luci-project-accounts.iam.gserviceaccount.com>Tue Feb 13 16:11:22 2024
treecffda88276615cae454b67d55c4c3deebd1460d1
parentf49cf93364a359b4feb43a482f72e19c2f85eaa8 [diff]
Update Security FAQ about contextual menu navigations.

We have treated "right click > open in a new window" as similar to the
user copy-pasting the URL into a new window. As a result, many policies:
CSP / sandbox / COEP / COOP / Referrer / origin / browsing context group
/ ... are not inherited.

This is deliberate. As long as there are no strong evidences this could
harm users, we really shouldn't try doing something different. This
would:
- Add extra complexity and unresolved questions.
- Allow websites to block users from opening popups. We should consider
  the intents of the users superior to the intents of the website.
- Open up the door to countess opportunities to fill up new security
  bugs about: "What about inheriting xxx properties?".

There have been 20+ bug reports about this. They have all been closed as
Duplicated/WontFix. See:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1784059
- https://issues.chromium.org/issues/40060542
- https://issues.chromium.org/issues/40057000
- https://issues.chromium.org/issues/324003975
- etc...

We should clear up the ambiguity to avoid additional
security shepherd work to triage the same kind of bug over and over. We
previously agreed with Mozilla to close and make them all public
(2022-08-30).

Bug: 324003975
Change-Id: I89ee125f3964690aadf7d9b0731bc575317f12f3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5279395
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Reviewed-by: Mike West <mkwst@chromium.org>
Cr-Commit-Position: refs/heads/main@{#1259862}
1 file changed
tree: cffda88276615cae454b67d55c4c3deebd1460d1
  1. android_webview/
  2. apps/
  3. ash/
  4. base/
  5. build/
  6. build_overrides/
  7. buildtools/
  8. cc/
  9. chrome/
  10. chromecast/
  11. chromeos/
  12. codelabs/
  13. components/
  14. content/
  15. courgette/
  16. crypto/
  17. dbus/
  18. device/
  19. docs/
  20. extensions/
  21. fuchsia_web/
  22. gin/
  23. google_apis/
  24. google_update/
  25. gpu/
  26. headless/
  27. infra/
  28. ios/
  29. ipc/
  30. media/
  31. mojo/
  32. native_client_sdk/
  33. net/
  34. pdf/
  35. ppapi/
  36. printing/
  37. remoting/
  38. rlz/
  39. sandbox/
  40. services/
  41. skia/
  42. sql/
  43. storage/
  44. styleguide/
  45. testing/
  46. third_party/
  47. tools/
  48. ui/
  49. url/
  50. webkit/
  51. clank
  52. internal
  53. ios_internal
  54. native_client
  55. signing_keys
  56. v8
  57. .clang-format
  58. .clang-tidy
  59. .clangd
  60. .eslintrc.js
  61. .git-blame-ignore-revs
  62. .gitallowed
  63. .gitattributes
  64. .gitignore
  65. .gitmodules
  66. .gn
  67. .mailmap
  68. .rustfmt.toml
  69. .vpython3
  70. .yapfignore
  71. ATL_OWNERS
  72. AUTHORS
  73. BUILD.gn
  74. CODE_OF_CONDUCT.md
  75. codereview.settings
  76. DEPS
  77. DIR_METADATA
  78. LICENSE
  79. LICENSE.chromium_os
  80. OWNERS
  81. PRESUBMIT.py
  82. PRESUBMIT_test.py
  83. PRESUBMIT_test_mocks.py
  84. README.md
  85. WATCHLISTS
README.md

Logo Chromium

Chromium is an open-source browser project that aims to build a safer, faster, and more stable way for all users to experience the web.

The project's web site is https://www.chromium.org.

To check out the source code locally, don't use git clone! Instead, follow the instructions on how to get the code.

Documentation in the source is rooted in docs/README.md.

Learn how to Get Around the Chromium Source Code Directory Structure.

For historical reasons, there are some small top level directories. Now the guidance is that new top level directories are for product (e.g. Chrome, Android WebView, Ash). Even if these products have multiple executables, the code should be in subdirectories of the product.

If you found a bug, please file it at https://crbug.com/new.