- From: Nicholas C. Zakas <standards@nczconsulting.com>
- Date: Mon, 05 Jan 2015 14:17:09 -0800
- To: whatwg@lists.whatwg.org
Hi, This bug has been open for Chromium since last year: https://code.google.com/p/chromium/issues/detail?id=168988 It describes the ability of a popup window or other tab to modify the location of it's window.opener even when the two windows have different domains. Basically window.opener.location.href = "whatever" works all the time, regardless of origin restrictions, and pretty much works that way across all browsers. This seems to indicate that this behavior isn't allowed: https://html.spec.whatwg.org/#allowed-to-navigate This issue is pretty big for sites that host user-generated content, as it's easy to create an attack, such as: 1. Go to a UGC site that allows uploading files with embedded links. 2. Upload a file containing a link to an attacker's page. 3. When someone clicks the link, the attacker page redirects the original window to a page that looks like the UGC site but is actually a phishing site designed to look like it. The user doesn't notice this because focus is on the attacker's page in the new window while the redirect happens. So my question is: is the spec incorrect in that it should reflect reality? Or are browsers incorrect and we should be hounding them to fix this behavior? -- ___________________________ Nicholas C. Zakas http://www.nczonline.net
Received on Monday, 5 January 2015 23:05:52 UTC