Hi,
This bug has been open for Chromium since last year:
https://code.google.com/p/chromium/issues/detail?id=168988
It describes the ability of a popup window or other tab to modify the
location of it's window.opener even when the two windows have different
domains. Basically window.opener.location.href = "whatever" works all
the time, regardless of origin restrictions, and pretty much works that
way across all browsers.
This seems to indicate that this behavior isn't allowed:
https://html.spec.whatwg.org/#allowed-to-navigate
This issue is pretty big for sites that host user-generated content, as
it's easy to create an attack, such as:
1. Go to a UGC site that allows uploading files with embedded links.
2. Upload a file containing a link to an attacker's page.
3. When someone clicks the link, the attacker page redirects the original
window to a page that looks like the UGC site but is actually a phishing site
designed to look like it. The user doesn't notice this because focus is on the
attacker's page in the new window while the redirect happens.
So my question is: is the spec incorrect in that it should reflect
reality? Or are browsers incorrect and we should be hounding them to fix
this behavior?
--
___________________________
Nicholas C. Zakas
http://www.nczonline.net