> even when the two windows have different domains > Basically window.opener.location.href = "whatever" works all the time
Looks like Chrome, Firefox and Opera already differentiate between window origins when the example is changed to window.opener.location.href="javascript:alert(‘Gotcha');” - if they’re on the same origin the alert is displayed, if they’re on different origins it’s not. I guess it’s a logical that the existing restriction should be applied more widely. Mat Carey > On 5 Jan 2015, at 22:17, Nicholas C. Zakas <standa...@nczconsulting.com> > wrote: > > Hi, > > This bug has been open for Chromium since last year: > https://code.google.com/p/chromium/issues/detail?id=168988 > > It describes the ability of a popup window or other tab to modify the > location of it's window.opener even when the two windows have different > domains. Basically window.opener.location.href = "whatever" works all the > time, regardless of origin restrictions, and pretty much works that way > across all browsers. > > This seems to indicate that this behavior isn't allowed: > https://html.spec.whatwg.org/#allowed-to-navigate > > This issue is pretty big for sites that host user-generated content, as it's > easy to create an attack, such as: > > 1. Go to a UGC site that allows uploading files with embedded links. > 2. Upload a file containing a link to an attacker's page. > 3. When someone clicks the link, the attacker page redirects the original > window to a page that looks like the UGC site but is actually a phishing site > designed to look like it. The user doesn't notice this because focus is on > the attacker's page in the new window while the redirect happens. > > > So my question is: is the spec incorrect in that it should reflect reality? > Or are browsers incorrect and we should be hounding them to fix this behavior? > > -- > ___________________________ > Nicholas C. Zakas > http://www.nczonline.net >
