Skip to content

ALLOWPOPUPS_HTML_CHECK

Jump to bottom
Anthony Trummer edited this page Jan 6, 2022 · 4 revisions

ALLOWPOPUPS_HTML_CHECK - Do not allow pop-ups in webviews

When the allowpopups attribute is present, the guest page will be allowed to open new windows. Pop-ups are disabled by default.

Risk

Disabling pop-ups reduces the risk of UI-redressing attacks and limits the exploitability of window abuses. Additionally, pop-ups are often used for intrusive advertising and persistency in JavaScript-based attacks.

Auditing

Search for the specific allowpopups blinkfeatures attribute in webview tags:

<webview src="https://doyensec.com/" allowpopups></webview>

References

Clone this wiki locally