On 1/5/15 8:14 PM, Mat Carey wrote:
even when the two windows have different domains
Basically window.opener.location.href = "whatever" works all the time
Looks like Chrome, Firefox and Opera already differentiate between window origins
when the example is changed to
window.opener.location.href="javascript:alert(‘Gotcha');” - if they’re on the
same origin the alert is displayed, if they’re on different origins it’s not.
This is a totally different issue. This case basically does an eval in
window.opener, and has to be blocked if the setter is not same-origin to
prevent cross-site scripting exploits.
You can see this in the spec in
https://html.spec.whatwg.org/multipage/browsers.html#navigating-across-documents
step 15 the javascript: case, substep 1, which says:
If the origin of the source browsing context is not the same origin
as the origin of the active document of the browsing context being
navigated, then act as if the result of evaluating the script was
the void value, and jump to the step labeled process results below.
Importantly, this is absolutely required to prevent XSS, as I said, and
all browsers already do this and have since time immemorial, so no sites
depend on this working.
I guess it’s a logical that the existing restriction should be applied more
widely.
The wider application doesn't resolve immediate XSS issues, and is very
likely to cause web compat problems.
It's worth thinking about, but data on how serious the web compat issues
are is key. And as noted sites have a way to opt in to more protection
here already; the only thing we're discussing is the default behavior.
-Boris