On 11/30/2016 06:21 PM, Michael A. Peters wrote:
On 11/30/2016 05:23 PM, Ian Hickson wrote:
On Wed, Nov 30, 2016 at 4:49 PM Michael A. Peters
Right now the specification for window.opener() is seriously insecure,
allowing for cross-domain script access by default.
I believe that's a bit of an overstatement. There are certainly risks
involved in window.opener (they're briefly discussed in the spec itself),
but it doesn't remove the origin checks.
Actually it does. Site A can link to Site B on a completely different
can change the URL and other things.
Here is easy demo showing the blatant cross-domain scripting vulnerability.
<!-- put this page as a.html on foo.com -->
<title>Test target link</title>
<p><a href="https://bar.net/b.html" target="_blank">link to
<!-- put this page as b.html on bar.net -->
if (window.opener && !window.opener.closed)
opener.location = 'http://www.example.org/'
<p>The page on foo.com will have changed to http://www.example.org/
because this page had script access to that window. Obvious very serious
phishing concern, and probably other concerns</p>