On 11/30/2016 06:21 PM, Michael A. Peters wrote:
On 11/30/2016 05:23 PM, Ian Hickson wrote:
On Wed, Nov 30, 2016 at 4:49 PM Michael A. Peters
<mpet...@domblogger.net>
wrote:
Right now the specification for window.opener() is seriously insecure,
allowing for cross-domain script access by default.
I believe that's a bit of an overstatement. There are certainly risks
involved in window.opener (they're briefly discussed in the spec itself),
but it doesn't remove the origin checks.
Actually it does. Site A can link to Site B on a completely different
domain and JavaScript on Site B has access to the window for Site A and
can change the URL and other things.
Here is easy demo showing the blatant cross-domain scripting vulnerability.
<!-- put this page as a.html on foo.com -->
<html>
<head>
<title>Test target link</title>
</head>
<body>
<p><a href="https://bar.net/b.html" target="_blank">link to
different domain</a></p>
</body>
</html>
<!-- put this page as b.html on bar.net -->
<html>
<head>
<title>Test window.opener</title>
<script type="text/javascript" >
if (window.opener && !window.opener.closed)
opener.location = 'http://www.example.org/'
</script>
</head>
<body>
<p>The page on foo.com will have changed to http://www.example.org/
because this page had script access to that window. Obvious very serious
phishing concern, and probably other concerns</p>
</body>
</html>