On 11/30/2016 06:21 PM, Michael A. Peters wrote:
On 11/30/2016 05:23 PM, Ian Hickson wrote:
On Wed, Nov 30, 2016 at 4:49 PM Michael A. Peters
<mpet...@domblogger.net>
wrote:


Right now the specification for window.opener() is seriously insecure,
allowing for cross-domain script access by default.


I believe that's a bit of an overstatement. There are certainly risks
involved in window.opener (they're briefly discussed in the spec itself),
but it doesn't remove the origin checks.



Actually it does. Site A can link to Site B on a completely different
domain and JavaScript on Site B has access to the window for Site A and
can change the URL and other things.


Here is easy demo showing the blatant cross-domain scripting vulnerability.

<!-- put this page as a.html on foo.com -->
<html>
  <head>
    <title>Test target link</title>
  </head>
  <body>
<p><a href="https://bar.net/b.html"; target="_blank">link to different domain</a></p>
  </body>
</html>

<!-- put this page as b.html on bar.net -->
<html>
  <head>
    <title>Test window.opener</title>
    <script type="text/javascript" >
if (window.opener && !window.opener.closed)
  opener.location = 'http://www.example.org/'
    </script>
  </head>
  <body>
<p>The page on foo.com will have changed to http://www.example.org/ because this page had script access to that window. Obvious very serious phishing concern, and probably other concerns</p>
  </body>
</html>

Reply via email to