Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 2 users
Status: WontFix
Owner: ----
Closed: Feb 2013
Cc:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 0
Type: Bug-Security



Sign in to add a comment
Security: opener accessible for pages opened with target=_blank
Reported by roman.sh...@gmail.com, Nov 27 2012 Back to list
VULNERABILITY DETAILS
Attacker can change location of opener page, if attackers page was opened with target=_blank, so it possible to use for phishing and similar attacks

VERSION
Chrome Version: canary
Operating System: Windows

REPRODUCTION CASE
click on any target=_blank link
write in console opener.location = 'test'

 
Comment 1 by tsepez@chromium.org, Nov 27 2012
Status: Invalid
You'll need to also specify rel="noreferrer" along with target="_blank" to get this behaviour.  Thanks.
Comment 2 Deleted
So you mean, that developers always must use rel="noreferrer" for third party links to protect from changing their pages location?
Comment 4 by tsepez@chromium.org, Nov 28 2012
Cc: creis@chromium.org
Yes.

Adding +creis for any other comment about work in this area.


OMG, this is big change, and special for Chrome, because only Chrome have this not safe behavior.
Comment 6 by creis@chromium.org, Nov 30 2012
Cc: darin@chromium.org
Tom's correct, and it is not a change to have an opener in this case.  The HTML5 spec requires the opener to be present in target=_blank windows, unless the noreferrer keyword is used:
http://dev.w3.org/html5/spec/single-page.html#the-rules-for-choosing-a-browsing-context-given-a-browsing-context-name

I just manually verified that Chrome, Safari, and Firefox all have openers in the new window on a target=_blank link.  

However, Chrome and Safari allow cross-origin pages to navigate the opener, while Firefox does not.  I haven't been able to figure out from the spec which is the correct behavior yet.  Darin, do you know if a cross-origin page should be able to navigate its opener?
Project Member Comment 7 by bugdroid1@chromium.org, Feb 27 2013
Status: WontFix
Project Member Comment 8 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Type-Security Type-Bug-Security
Project Member Comment 9 by bugdroid1@chromium.org, Mar 11 2013
Labels: -Area-Undefined
Labels: -Restrict-View-SecurityTeam
Bulk release of old security bug reports.

Project Member Comment 11 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 12 by sheriffbot@chromium.org, Oct 2 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment