Prevent window.opener from modifying GitLab window (!152246) · Merge requests · GitLab.org / GitLab

Eduardo Sanz García requested to merge eduardosanz/nullify-window-opener into master May 07, 2024

What does this MR do and why?

Prevent window.opener from manipulating GitLab's browser window. If GitLab is opened by third party, avoid the opener window to control GitLab. Nullifying the window.opener prevents the opener window from changing the location and other potentially harmful actions.

Third party -- opens --> GitLab window
    |                         ^
    |                         |
     ---- avoids controls ----

This is the inverse of noopener attributes in links, where the window.opener is set to null when GitLab opens third party links.

GitLab window -- opens --> Third party
    ^                         |
    |                         |
     ---- avoids controls ----

Changelog: security

Closes https://gitlab.com/gitlab-org/gitlab/-/issues/417764

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

No changes

How to set up and validate locally

Go to https://example.com
In that site, open the web console and type:

const child = window.open('https://gdk.test:3443/');
// wait for the window to load GDK GitLab
setTimeout(()=> child.location = 'https://example.com', 3000);

Observe that the child window navigates from GDK GitLab to example.com.
Enable the nullify_window_opener on https://gdk.test:3443/rails/features/
Repeat step #1
Observe that the child window doesn't navigate away from GDK GitLab

Edited May 08, 2024 by Eduardo Sanz García

Prevent window.opener from modifying GitLab window

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports