I'm hoping to bypass all of those by overriding any specification of target in the link. That is, if "rel=unrelated" is specified, that forces target to be "_blank".
Charlie On Wed, Jun 6, 2012 at 4:53 PM, Michal Zalewski <[email protected]> wrote: > Several questions: > > 1) How would this mechanism work with named windows (which may be targeted > by means other than accessing opener.*)? In certain implementations (e.g., > Chrome), the separation in this namespace comes free, but that's not given > for other browsers. There are ways in which the attacker could, for > example, load GMail in a window that already has window.name set. > > 2) What would be the behavior of a rel=unrelated link with target= > pointing to an existing iframe on the page? Could it work in any useful way? > > 3) What about the same with target= pointing to an existing window? Would > that window become isolated? What would happen to the 'back' button / > history.back()? > >
