Issue metadata
Sign in to add a comment
|
A window may navigate a cross-origin window that it has opened
Reported by
1m0s.r3p...@gmail.com,
Mar 22 2018
|
||||||||||||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36 Steps to reproduce the problem: 1. Use attached file for PoC. 2. Click on the included link. 3. Wait 3 sec, page would be reloaded and redirect to other page. What is the expected behavior? What went wrong? Attacker can change the link after it was opened in new window. Content on the new opened windows could be manipulated from previous page. Did this work before? N/A Chrome version: 65.0.3325.181 Channel: stable OS Version: 10.0 Flash Version: Also this issue was tested on MacOS 10.13.3 (chrome Version 65.0.3325.181 (Official Build) (64-bit)).
,
Mar 22 2018
Notably, you'll find that if you change the re-navigation URL to something like
aWin.location.href="javascript:alert(document.domain);";
... such navigation is blocked. You also cannot navigate subframes of cross-origin windows that you've opened, or otherwise interact with the *content* of the cross-origin document. One gap in the final restriction is that you *can* determine the number of subframes on the cross-origin window, which is a longstanding information leak; see Issue 752190
,
Jun 28 2018
This bug has been closed for more than 14 weeks. Removing security view restrictions. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot |
|||||||||||||||||||||
►
Sign in to add a comment |
|||||||||||||||||||||
Comment 1 by elawrence@chromium.org
, Mar 22 2018Status: WontFix (was: Unconfirmed)
Summary: A window may navigate a cross-origin window that it has opened (was: Same Origin Policy bypass)
By-design, a browser may navigate top-level windows that it opens, even when they are cross origin. A simpler repro of this is: <html><head><title>Test</title><script> var aWin; function openit(){ aWin = window.open("https://www.google.com/"); setTimeout(renav, 3000); } function renav(){aWin.location.href="https://example.com/"; } </script></head><body> <button onclick="openit()">Click me and wait three seconds</button> </body></html> A proposal to mitigate this (sometimes unwanted) property is described here: https://w3c.github.io/webappsec-csp/#disown-opener