Why does Cross-Origin-Opener-Policy prevent opening links to the same-origin/domain when target="_blank" is used?
Let's say you serve a website with the header Cross-Origin-Opener-Policy: same-origin. This is a new header that, if I understood it correctly, completely separates a browsing tab/origin to prevent against such low-level attacks like CPU-microcode attacks (or: side-channel leaks, namely Spectre). OWASP e.g. recommends it. And on https://xsleaks.dev/defenses/coop/ you can read more about potential attacks/vulnerabilities it can prevent and the same websites explains the header in more detail here.
So far so good, so why not apply it?
The thing I – or better users of our software – noticed is, when you add target="_blank" to a <a href="...">...</a> link that is placed on the same site/domain and it targets the same site/domain, the newly opened site is being blocked.
To visualize it, this is all HTML it needs on https://coop-test.example.com to break such a site:
<a href="https://coop-test.example.com" target="_blank">Click me to p… coop</a>
Given https://coop-test.example.com sets Cross-Origin-Opener-Policy: same-origin.
@RubenFixit (thx!) even tested out different browsers:
Firefox
Blocked Page
An error occurred during a connection to privatebin.net.
Firefox 103.0.2
Edge
´
privatebin.net is blocked
privatebin.net refused to connect.
ERR_BLOCKED_BY_RESPONSE
Edge 104.0.1293.63
Chrome
´
privatebin.net is blocked
privatebin.net refused to connect.
ERR_BLOCKED_BY_RESPONSE
Chrome 104.0.5112.101
Tries
Additionally the following suggested security headers are set:
Content-Security-Policy: *long value and not relevant here*
Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp
Permissions-Policy: browsing-topics=()
Referrer-Policy: no-referrer
X-Content-Type-Options: nosniff
X-Frame-Options: deny
X-XSS-Protection: 1; mode=block
The issue does not appear when:
- the
target="_blank"is removed, but obviously this changes functionality and is also unintuitive, why does it matter whether a new tab is being opened or not? (removing things likenoopeneralone does not seem to make a difference though) - obviously when
Cross-Origin-Opener-Policyis removed - when opening any other links to other websites
It does however happen even if:
- one changes it to the apparently less strict value
same-origin-allow-popups. - regardless of the value of
Cross-Origin Resource Policy - regardless of the value of
relof the link. Aka by default we setrel="nofollow noopener noreferrer"(more on that below).
Questions
Many Stackoverflow answers tackle similar issues, but most suggest just to remove that header. This works, but is obviously no nice solution.
So why does this happen?
Is not opening a link from/on the same domain (and thus origin)?
And if so, why does it make a difference whether I force-open the link in a new tab?
And why does it only apply to links from the page to itself, which should be the most harmless ones?
And obviously, how could this issue be solved?
(Note also these links are auto-generated and doing that differently based on the domain sounds like a very strange idea. Because otherwise the target could of course be removed.)
This is all strange to me…
Trying to understand it with a table
This MDN table explains that when you navigate from same-origin to same-origin the "BCG" (aka browsing context group = what I called origin, IIRC) should stay the same when it is the same origin. (Same if same-origin)
Thus, I understand it as this should work.
So why would target="_blank" cause a new origin? I mean, it was added because of a nasty vulnerability that shares very much from the concept: one wants to prevent links accessing .opener and thus the original document.
I would even go as far as to say it shares the same intend: to isolate sites/links between each other. They may tackle the issue from two sites, but anyway… So why would actually they conflict?
But as said, when testing, removing noopener alone did not help. It really seems to depend on target="_blank", which IMHO is just a functionality difference.
This question has been cross-posted to Stackoverflow.
