_target=blank stopped working in messages?

Hi, 

did something change recently so that links with target=_blank in message doesn't work anymore?

Example: 

The sourcecode looks like this:

Nothing happens when clicking on the link.

If I remove target=_blank the page opens up inside the message pane - not ideal.

RE: _target=blank stopped working in messages?

This is due to the iframes containing messages having the sandbox attribute.

This has been done both to increase performance (do sanitizing of script/html client side) and to increase security.

I think Sverre replied to some other comment regarding it elsewhere?

Av: Hans Wilhelmsen 14. feb 2019

RE: _target=blank stopped working in messages?

Hi,

Hans is right, this is caused by our new sandbox'ing strategy. However, I see that there is an allow-popups parameter for the sandbox that will allow targeted links. I will discuss this with our security people, and if it is OK then we will add this parameter. In the meanwhile, right-click and open in new tab is the workaround.

Sverre

Av: Sverre Hjelm 14. feb 2019

RE: _target=blank stopped working in messages?

Ok, thanks.

Av: Frode Lillerud 14. feb 2019

RE: _target=blank stopped working in messages?

Issue ID 63193. Fixed and scheduled for 8.4R07.

Sverre

Av: Sverre Hjelm 19. feb 2019

RE: _target=blank stopped working in messages?

Hi, 

is there any setting in 8.4 R06 we can change to bypass or change the sandbox?

I need to find another way around this problem than the suggested workaround, because rightclick doesn't work in Internet Explorer.

Av: Frode Lillerud 26. apr 2019

RE: _target=blank stopped working in messages?

Hi Frode,

Take a look at reg_id 348, 'Use sandbox for viewing ticket messages'. Maybe if you set that value to 0 the sandboxing is turned off? (Haven't tested it myself, don't have a 8.4 r6 environment to test on)

Av: David Hollegien 26. apr 2019

RE: _target=blank stopped working in messages?

Lovely David, that worked!

Av: Frode Lillerud 26. apr 2019

RE: _target=blank stopped working in messages?

Hi guys. We have a similar problem where we "put in" a message to Service with a link to an internal system that runs scripts. This link fails if I dont turn off the Sandboxing Registry key.

Would an sandbox-attribute 'allow-popups-to-escape-sandbox' in the sandbox mode be "too risky" to include? I really dont know if a HREF would be without the sandbox if this attribute is included, but I would like to keep the sandboxing inside the message, but not if you click on a link opening a new window. 

If I turn off the sandbox-mode, there seems to be some filtering done that does not allow my message to be formatted by Bootstrap - so there are som minuses by just turning the sandbox-mode off also.. 

Av: Atle Bjerck 5. dec 2019

RE: _target=blank stopped working in messages?

I think adding "allow-popups-to-escape-sandbox" would be a good idea. It solves other problems, for example if you from Gmail include a google drive attachment. Then when you click this link from a message in Servie, it will open in a new window, but you get an error message that your browser does not support JavaScript.

I will check with our security expert if this is ok to add.

Av: Stian Andre Olsen 6. dec 2019

RE: _target=blank stopped working in messages?

Thanks Stian - that would be nice. Please give a notice here if you get a conclusion :) 

Av: Atle Bjerck 6. dec 2019