Update Security FAQ about contextual menu navigations.
We have treated "right click > open in a new window" as similar to the
user copy-pasting the URL into a new window. As a result, many policies:
CSP / sandbox / COEP / COOP / Referrer / origin / browsing context group
/ ... are not inherited.
This is deliberate. As long as there are no strong evidences this could
harm users, we really shouldn't try doing something different. This
would:
- Add extra complexity and unresolved questions.
- Allow websites to block users from opening popups. We should consider
the intents of the users superior to the intents of the website.
- Open up the door to countess opportunities to fill up new security
bugs about: "What about inheriting xxx properties?".
There have been 20+ bug reports about this. They have all been closed as
Duplicated/WontFix. See:
- https://bugzilla.mozilla.org/show_bug.cgi?id=1784059
- https://issues.chromium.org/issues/40060542
- https://issues.chromium.org/issues/40057000
- https://issues.chromium.org/issues/324003975
- etc...
We should clear up the ambiguity to avoid additional
security shepherd work to triage the same kind of bug over and over. We
previously agreed with Mozilla to close and make them all public
(2022-08-30).
Bug: 324003975
Change-Id: I89ee125f3964690aadf7d9b0731bc575317f12f3
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/5279395
Commit-Queue: Arthur Sonzogni <[email protected]>
Reviewed-by: Mike West <[email protected]>
Cr-Commit-Position: refs/heads/main@{#1259862}
diff --git a/docs/security/faq.md b/docs/security/faq.md
index 20d4021..fd4c56b2 100644
--- a/docs/security/faq.md
+++ b/docs/security/faq.md
@@ -299,6 +299,36 @@
Note that a user navigating to a download will cause a file to be
[downloaded](https://crbug.com/1114592).
+<a name="TOC-security-properties-not-inherited-using-contextual-menu-"></a>
+### Sandbox/CSP/etc... security properties are not inherited when navigating using the middle-click/contextual-menu - is this a security bug?
+
+The security properties of the document providing the URL are not used/inherited
+when the user deliberately opens a link in a popup using one of:
+
+- Ctrl + left-click (Open link in new tab)
+- Shift + left-click (Open link in new window)
+- Middle-click (Open a link in a new tab)
+- Right-click > "Open link in ..."
+
+These methods of following a link have more or less the same implications as the
+user copying the link's URL and pasting it into a newly-opened window. We treat
+them as user-initiated top-level navigations, and as such will not apply or
+inherit policy restrictions into the new context
+
+Example of security related properties:
+
+- Content-Security-Policy
+- Cross-Origin-Embedder-Policy
+- Cross-Origin-Opener-Policy
+- Origin
+- Referrer
+- Sandbox
+- etc...
+
+These browser's actions/shortcuts are specific to Chrome. They are different
+from the behavior specified by the web-platform, such as using executing
+`window.open()` or opening a link with the `target=_blank` attribute.
+
## Areas outside Chrome's Threat Model
<a name="TOC-Are-privacy-issues-considered-security-bugs-"></a>
