- From: Charlie Reis <creis@chromium.org>
- Date: Wed, 6 Jun 2012 16:56:47 -0700
- To: Michal Zalewski <lcamtuf@coredump.cx>
- Cc: whatwg@lists.whatwg.org
I'm hoping to bypass all of those by overriding any specification of target in the link. That is, if "rel=unrelated" is specified, that forces target to be "_blank". Charlie On Wed, Jun 6, 2012 at 4:53 PM, Michal Zalewski <lcamtuf@coredump.cx> wrote: > Several questions: > > 1) How would this mechanism work with named windows (which may be targeted > by means other than accessing opener.*)? In certain implementations (e.g., > Chrome), the separation in this namespace comes free, but that's not given > for other browsers. There are ways in which the attacker could, for > example, load GMail in a window that already has window.name set. > > 2) What would be the behavior of a rel=unrelated link with target= > pointing to an existing iframe on the page? Could it work in any useful way? > > 3) What about the same with target= pointing to an existing window? Would > that window become isolated? What would happen to the 'back' button / > history.back()? > >
Received on Wednesday, 6 June 2012 23:57:16 UTC