I should add this fails on a http redirect (302). It works fine using a meta http-equiv=refresh tag.

Following b/c SSO is now broken for Chrome.

I am not sure which redirect you mean in Step 3. Can you provide a reproducer in a form of a few .html files that I could drop into a simple local webserver?

CC: yuweih@ in case he knows someone who knows how oauth is supposed to work :)

This issue is easily reproducible for me:

1. Navigate to DOMAIN1/index.html (index.html has a button that performs step 2)
2. From the page or console, call window.open('DOMAIN2/that/redirects/to/DOMAIN3', '_blank);
3. Once in DOMAIN3, window.opener is null in the new window

This is critical to complete an OAuth flow, such as Facebook login, in which the user needs to authenticate with a service in a different domain, and then be redirected back. If the last redirection happens to the same domain, the issue doesn't reproduces but if it happens to a third domain (not from where the user started the flow nor the service domain), the issue is consistently reproducible.

john.meyer@govivoom.com,buckeridge85@gmail.com - Can you please let us know if this issue is still reproducible on the latest chrome(55.0.2883.91) available on the playstore?

I am having this problem in "Version 57.0.2987.98 (64-bit)" (Debian)

1. Go to DOMAIN1
2. Click link which calls window.open(DOMAIN2...)
3. Child window goes via other domains
4. Back on DOMAIN2, window.parent === window.top and window.opener === null

After more playing, it seems having "noopener=0" in the features was still enabling this feature.

Mike: is this something you could look?  Also cc-ing nasko@ for navigation related issues.

I'm going to punt this to alexmos@ for triage, as I think it's more likely to be navigation/plznavigate-related than Blink-related.

Alex, if you don't have time to take a look, I'll try to hop on it on Monday.

I'm having trouble reproducing this.  I don't have M57 around to try, but I've tried M58 and M60 (Linux), and I can't get the popup to have a null opener.  I've tried window.open to URLs with server redirects as well as various navigations in the popup, and everything seems to preserve the opener.  For example, going to https://csreis.github.io and from devtools, executing window.open("https://httpbin.org/redirect-to?url=http://www.asdf.com"), the new window has a valid opener.

Can someone please share more precise repro steps, or a link to a web page where we can repro this?  I also don't know if this might be specific to Android -- I assumed not, given that #8 had a repro on Debian.

I'm a little confused by #9, but I'll note that if you use window.open(url, "foo", "noopener"), it's expected that the new window will open with a null opener, and I think the value of "noopener" is disregarded (i.e., "noopener=0" or "noopener=1" or "noopener=false" all have the same effect as just "noopener").

Also, this isn't likely to be related to PlzNavigate, as that's only enabled in trials on M60 canary/dev, and this was reported before that.

@john.meyer: Could you please respond to Comment #12 and provide an update by testing the issue on Latest Stable# 61.0.3163.98 and also a screen cast would be helpful for us to triage further.

Thanks in Advance.

***Bulk Edit***

There is no valid investigation going on, hence closing. Please feel free to reopen if needed.

Im able to reproduce this on older Galaxy S (6,7) mobile devices.

my app doesnt self.open("") to instagram's auth flow
instagram then redirects to a url on my domain which tries to use window.opener and getting null.

on most phones and of course desktops this works just fine...