In Step 12 of http://www.whatwg.org/specs/web-apps/current-work/#dom-showmodaldialog, the auxiliary browsing context's return value is transfered from the auxiliary browsing context to whichever script called showModalDialog without regard for the origin of these two browsing contexts. In most situations, this will let the auxiliary browsing context XSS the caller of showModalDialog. Instead, we should perform the same origin checks and subsequent transformations that we perform on the dialog arguments in step 7.
Adam
