~sircmpwn/sr.ht-discuss

6 3

[sr.ht pages] - links to external pages only opening in new tab

Details
Message ID
<d66b71f5-c294-f259-ad0d-3acbb71440fe@puer-robustus.eu>
DKIM signature
missing
Download raw message
Hi all!

I've finally decided to investigate why links from my blog (published
via sr.ht pages) to external pages only ever open if I explicitly
instruct the browser to open the link in a new tab. By just clicking the
link, nothing happens.

To me, the html code of my website [1] looks fine, e.g.:

<a rel="noopener noreferrer"
href="http://creativecommons.org/licenses/by/4.0/" target="_blank"
class="ext-links">CC BY 4.0</a>

I'd expect this link to open in a new tab when clicking on it in a
browser. This is also the behavior which I observe when I serve & browse
my blog locally.

Could sourcehut pages' CSP [2] possibly interfere at this point? What
are other possible causes of this issue?

Thanks in advance for your help.

Best,
Alex


[1]: https://www.puer-robustus.eu
[2]: https://srht.site/limitations
Details
Message ID
<c820712d-61b1-8c86-efee-0f108d197098@puer-robustus.eu>
In-Reply-To
<d66b71f5-c294-f259-ad0d-3acbb71440fe@puer-robustus.eu> (view parent)
DKIM signature
missing
Download raw message
As Ignas pointed out to me (thanks!), it is indeed the CSP:

> target="_blank" requires an allow-popups directive when CSP has a
sandbox directive

I found an old email thread [1], where Drew defends the exclusion of
"allow-popups" from the sandbox CSP. Personally, I'd be interested in
him elaborating more on that decision.

If Drew stands by his CSP decision, is this worth being documented as a
limitation of the CSP? Clicking on a link with nothing happening is a
bit irritating ...

For the time being I'll remove the target="_blank" from the links in my
blog.

[1]:
https://lists.sr.ht/~sircmpwn/sr.ht-discuss/%3Cfc729915-55f3-eff5-e345-c1fb0560a41b%40coolguy.website%3E
Details
Message ID
<a01d5fc8-c797-5610-3a9c-ac7e269a3f3c@bitfehler.net>
In-Reply-To
<c820712d-61b1-8c86-efee-0f108d197098@puer-robustus.eu> (view parent)
DKIM signature
missing
Download raw message
On 4/29/22 22:24, Alex wrote:
> As Ignas pointed out to me (thanks!), it is indeed the CSP:
> 
>> target="_blank" requires an allow-popups directive when CSP has a
> sandbox directive
> 
> I found an old email thread [1], where Drew defends the exclusion of
> "allow-popups" from the sandbox CSP. Personally, I'd be interested in
> him elaborating more on that decision.

Can't speak for Drew, but I personally very much support that sites (not 
just srht) should not be able to open popups, ever :)

I would concede that one can have different opinions on the fact that 
the spec considers target=_blank the same as opening a popup, but to me, 
even that does make sense. But even if you don't, allowing popups 
outright seems like a pretty bad trade-off.

> If Drew stands by his CSP decision, is this worth being documented as a
> limitation of the CSP? Clicking on a link with nothing happening is a
> bit irritating ...

One person's limitation is another one's feature :) I find it irritating 
when I click a link and a new tab opens. Why not trust your readers that 
they can decide for themselves how to open a link?

> For the time being I'll remove the target="_blank" from the links in my
> blog.

I wholeheartedly support that :)

Conrad
Details
Message ID
<2ec97194-06e2-7184-5131-acc3b1de72a9@puer-robustus.eu>
In-Reply-To
<a01d5fc8-c797-5610-3a9c-ac7e269a3f3c@bitfehler.net> (view parent)
DKIM signature
missing
Download raw message
On 01.05.22 17:18, Conrad Hoffmann wrote:

>> I found an old email thread [1], where Drew defends the exclusion of
>> "allow-popups" from the sandbox CSP. Personally, I'd be interested in
>> him elaborating more on that decision.
> 
> Can't speak for Drew, but I personally very much support that sites (not
> just srht) should not be able to open popups, ever :)
> 
> I would concede that one can have different opinions on the fact that
> the spec considers target=_blank the same as opening a popup, but to me,
> even that does make sense. But even if you don't, allowing popups
> outright seems like a pretty bad trade-off.

I fully agree that sites should never be allowed to open popups. That
opening new tabs would fall into the same category wasn't immediately
obvious to me but it actually makes sense: just imagine all the popups
found on sites of the early internet age opening in tabs ...

So I rest my case with regard to the exclusion of the "allow-popups"
directive.

>> If Drew stands by his CSP decision, is this worth being documented as a
>> limitation of the CSP? Clicking on a link with nothing happening is a
>> bit irritating ...
> 
> One person's limitation is another one's feature :) I find it irritating
> when I click a link and a new tab opens. Why not trust your readers that
> they can decide for themselves how to open a link?

Personally, I have changed my mind yesterday already: I do not want to
force another tab on my readers when clicking a link. If they want to,
they have the means to do so in their browser.

But personal taste notwithstanding, I'd argue that a note about this
particular "limitation" of the CSP in the sr.ht pages docs would make
sense given that I am not the first one to stumble upon this. Will
gladly provide a patch if Drew deems this necessary.
Details
Message ID
<FjLuMTJJgZE8wcKo5OHomINAWfY6t0smQBls5e0YITGAz-XLpD0FuQQzBEzsTm1LXo8kiDDzctVj782gVw3cfRAN977qJe0ASwGRj_zbHPM=@tlambert.be>
In-Reply-To
<2ec97194-06e2-7184-5131-acc3b1de72a9@puer-robustus.eu> (view parent)
DKIM signature
missing
Download raw message
> But personal taste notwithstanding, I'd argue that a note about this
> particular "limitation" of the CSP in the sr.ht pages docs would make
> sense given that I am not the first one to stumble upon this. Will
> gladly provide a patch if Drew deems this necessary.

I agree 100% with that.

While I understand Drew's point and where he comes from, opening external links
in tabs in now an expected behavior for most websites. Personally I am not
willing to compromise on that feature. It's perfectly ok, it just means that
SourceHut sites are not for me. No need to get philosophical here.

That being said, I just lost 2 hours migrating my website from Gitlab to
SourceHut and then trying to understand why my hugo-built website was not
behaving as before when it was hosted on Gitlab. I read the "limitations" page
on srht.site prior doing all that. IMO, without being an experienced web
developer, it is hard to understand the full range of limitations introduced by
the CSP header. Ideally all elements of the CSP should be explained so laymen
would understand as well. At the very least, a simple one-line warning to
explicitly detail that links can not open in tabs would be more than welcome!

- Thomas
Details
Message ID
<e9969430-6b5a-ab82-2d36-f57ec2beed38@bitfehler.net>
In-Reply-To
<FjLuMTJJgZE8wcKo5OHomINAWfY6t0smQBls5e0YITGAz-XLpD0FuQQzBEzsTm1LXo8kiDDzctVj782gVw3cfRAN977qJe0ASwGRj_zbHPM=@tlambert.be> (view parent)
DKIM signature
missing
Download raw message
On 8/2/22 12:23, Thomas Lambert wrote:
> At the very least, a simple one-line warning to
> explicitly detail that links can not open in tabs would be more than welcome!

Not an unreasonable request. I sent a patch [1], let's see what Drew 
says. I would however also caution that you totally should at least skim 
over the CSP documentation and check how it might relate to your page. 
Spelling out the policy itself is the most concise way of conveying the 
necessary information.

[1] https://lists.sr.ht/~sircmpwn/sr.ht-dev/patches/34384

Conrad
Details
Message ID
<nllpRCIVaEnBSOosW2jxazSTK5LcRkne0GjIXIKvwOtemXMaVOqFKTQ1y91puF3ez5aSogyYBhBxps3IrU8XG0RKObJoi_5rcr1jQD82q6I=@tlambert.be>
In-Reply-To
<e9969430-6b5a-ab82-2d36-f57ec2beed38@bitfehler.net> (view parent)
DKIM signature
missing
Download raw message
> Not an unreasonable request. I sent a patch, let's see what Drew
> says.

Awesome, thank you! The patch is all good for me.
Reply to thread Export thread (mbox)