Hi,

This bug has been open for Chromium since last year:
https://code.google.com/p/chromium/issues/detail?id=168988

It describes the ability of a popup window or other tab to modify the location of it's window.opener even when the two windows have different domains. Basically window.opener.location.href = "whatever" works all the time, regardless of origin restrictions, and pretty much works that way across all browsers.

This seems to indicate that this behavior isn't allowed:
https://html.spec.whatwg.org/#allowed-to-navigate

This issue is pretty big for sites that host user-generated content, as it's easy to create an attack, such as:

1. Go to a UGC site that allows uploading files with embedded links.
2. Upload a file containing a link to an attacker's page.
3. When someone clicks the link, the attacker page redirects the original 
window to a page that looks like the UGC site but is actually a phishing site 
designed to look like it. The user doesn't notice this because focus is on the 
attacker's page in the new window while the redirect happens.


So my question is: is the spec incorrect in that it should reflect reality? Or are browsers incorrect and we should be hounding them to fix this behavior?

--
___________________________
Nicholas C. Zakas
http://www.nczonline.net

Reply via email to