Actually, I'm not sure the "incomplete DOM" is any different than a straight window.open("about:blank").  Still, pretty squicked.

Please upload a proof of concept.  Thanks.

Compare the output of:

window.open("about:blank").screen

to

x = window.open("about:blank")
x.screen

That is not a fully initialized object I'm getting back in the former case.  There's just this whole universe of reads and writes with results nobody can assert the characteristics of.

I admit I'm warning you guys a little early.  If you'd prefer to wait for something a little more concrete, I won't be offended, and I'll work to satisfy your request.  My style is to provide warnings without delay.

I can't repro this in the console -- the results of the two look the same.

avi -- Is the wai?

You'll get identical output if you don't allow popups.  Popup blocker isn't considered a security barrier generally, but not sure Chrome policy here.  Attaching screenshot of different output when popup is allowed to occur.

Deleted: uninit.png 67.9 KB

	uninit.png 67.9 KB View Download

I don't know if the uninitialized DOM part is WAI. I'm not really a security details type, so I can't comment to that.

WAI?  Curious about this term.

There's a pile of history (in multiple browsers) around this sort of issue, where there's an explosion of available states at small timescales.

WAI = Working As Intended.

I have no clue as to whether this is an issue or not; it's well out of what I know.

May be Windows only.

window.open("https://gmail.com").document.location.href
"about:blank"

Presumably that is not WAI.

Why not?

window.open() starts loading, but until the load commits the document DOM object is still the old blank one.

A substantially different object is returned on Linux vs. Windows.  Which one is WAI?

As far as I know, the line "window.open("https://gmail.com").document.location.href" is a race. You're racing the load of gmail. Both outcomes seem reasonable to me.

I'm not concerned about about:blank as much as I am by the incomplete object.  You think an object state that exists for milliseconds has had any security coverage?

I'm not just beating the nav to gmail, I'm beating the proper initialization of the window object.

Anyway, this is a debate best resolved by fuzzing :)

What do you mean by "incomplete", though?

If you get something completely different than the object from a normal "about:blank" load, I'd be worried. If it's just the fact that it's "about:blank", I'd not be worried.

Continue fuzzing away, though. That's always enlightening.

I mean uninitialized.  I don't know other things that make navigator not have a user agent, performance come back all 0's, console be missing methods...

There's just lots of history at this attack point.

Deleted: uninit2.png 126 KB

	uninit2.png 126 KB View Download

OK, yeah, that's probably concerning, and over my head.

Possibly different, as closed windows have their own quirks, but:

(w = window.open("about:blank")).close()

eisinger -- Can you suggest an owner, and comment on if this is a known issue (or an issue at all)?  Thanks

this is work as intended. The document is not partially initialized, it's a fully initialized about:blank document. When the new window then navigates to the initial URL, the document is replaced with the one for that url.

Alright, will report back if fuzzing yields.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot