W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2015

[whatwg] Clarification for window.opener.location.href

From: Nicholas C. Zakas <standards@nczconsulting.com>
Date: Mon, 05 Jan 2015 14:17:09 -0800
Message-ID: <54AB0D65.2090203@nczconsulting.com>
To: whatwg@lists.whatwg.org
Hi,

This bug has been open for Chromium since last year:
https://code.google.com/p/chromium/issues/detail?id=168988

It describes the ability of a popup window or other tab to modify the 
location of it's window.opener even when the two windows have different 
domains. Basically window.opener.location.href = "whatever" works all 
the time, regardless of origin restrictions, and pretty much works that 
way across all browsers.

This seems to indicate that this behavior isn't allowed:
https://html.spec.whatwg.org/#allowed-to-navigate

This issue is pretty big for sites that host user-generated content, as 
it's easy to create an attack, such as:

1. Go to a UGC site that allows uploading files with embedded links.
2. Upload a file containing a link to an attacker's page.
3. When someone clicks the link, the attacker page redirects the original window to a page that looks like the UGC site but is actually a phishing site designed to look like it. The user doesn't notice this because focus is on the attacker's page in the new window while the redirect happens.


So my question is: is the spec incorrect in that it should reflect 
reality? Or are browsers incorrect and we should be hounding them to fix 
this behavior?

-- 
___________________________
Nicholas C. Zakas
http://www.nczonline.net
Received on Monday, 5 January 2015 23:05:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:32 UTC