W3C home > Mailing lists > Public > whatwg@whatwg.org > January 2015

Re: [whatwg] Clarification for window.opener.location.href

From: Mat Carey <mat@matcarey.co.uk>
Date: Tue, 6 Jan 2015 01:14:55 +0000
Message-Id: <758F8506-FD37-4721-BB10-8E1024BBD38E@matcarey.co.uk>
To: whatwg@lists.whatwg.org
Cc: "Nicholas C. Zakas" <standards@nczconsulting.com>
> even when the two windows have different domains
> Basically window.opener.location.href = "whatever" works all the time

Looks like Chrome, Firefox and Opera already differentiate between window origins when the example is changed to window.opener.location.href="javascript:alert(‘Gotcha');” - if they’re on the same origin the alert is displayed, if they’re on different origins it’s not.

I guess it’s a logical that the existing restriction should be applied more widely.

Mat Carey

> On 5 Jan 2015, at 22:17, Nicholas C. Zakas <standards@nczconsulting.com> wrote:
> 
> Hi,
> 
> This bug has been open for Chromium since last year:
> https://code.google.com/p/chromium/issues/detail?id=168988
> 
> It describes the ability of a popup window or other tab to modify the location of it's window.opener even when the two windows have different domains. Basically window.opener.location.href = "whatever" works all the time, regardless of origin restrictions, and pretty much works that way across all browsers.
> 
> This seems to indicate that this behavior isn't allowed:
> https://html.spec.whatwg.org/#allowed-to-navigate
> 
> This issue is pretty big for sites that host user-generated content, as it's easy to create an attack, such as:
> 
> 1. Go to a UGC site that allows uploading files with embedded links.
> 2. Upload a file containing a link to an attacker's page.
> 3. When someone clicks the link, the attacker page redirects the original window to a page that looks like the UGC site but is actually a phishing site designed to look like it. The user doesn't notice this because focus is on the attacker's page in the new window while the redirect happens.
> 
> 
> So my question is: is the spec incorrect in that it should reflect reality? Or are browsers incorrect and we should be hounding them to fix this behavior?
> 
> -- 
> ___________________________
> Nicholas C. Zakas
> http://www.nczonline.net
> 
Received on Tuesday, 6 January 2015 12:17:37 UTC

This archive was generated by hypermail 2.3.1 : Monday, 13 April 2015 23:09:32 UTC