On 1/5/15 8:14 PM, Mat Carey wrote:
even when the two windows have different domains
Basically window.opener.location.href = "whatever" works all the time

Looks like Chrome, Firefox and Opera already differentiate between window origins 
when the example is changed to 
window.opener.location.href="javascript:alert(‘Gotcha');” - if they’re on the 
same origin the alert is displayed, if they’re on different origins it’s not.

This is a totally different issue. This case basically does an eval in window.opener, and has to be blocked if the setter is not same-origin to prevent cross-site scripting exploits.

You can see this in the spec in https://html.spec.whatwg.org/multipage/browsers.html#navigating-across-documents step 15 the javascript: case, substep 1, which says:

  If the origin of the source browsing context is not the same origin
  as the origin of the active document of the browsing context being
  navigated, then act as if the result of evaluating the script was
  the void value, and jump to the step labeled process results below.

Importantly, this is absolutely required to prevent XSS, as I said, and all browsers already do this and have since time immemorial, so no sites depend on this working.

I guess it’s a logical that the existing restriction should be applied more 
widely.

The wider application doesn't resolve immediate XSS issues, and is very likely to cause web compat problems.

It's worth thinking about, but data on how serious the web compat issues are is key. And as noted sites have a way to opt in to more protection here already; the only thing we're discussing is the default behavior.

-Boris

Reply via email to