Show a modal warning, when a window wants to manipulate its opener

Confirmed Issue #10022307 • Assigned to Crispin C.

Details

Created
Dec 1, 2016
Privacy
This issue is public.
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

This is a feature request resulting from this discussion in the WHATWG HTML issue tracker:

https://github.com/whatwg/html/issues/2119

The problem is, that rel=noopener is not the perfect solution to mitigate the non-trivial security problem, when a window accesses and manipulates its opener window.

Proposed solution: If a window A opens a new window B, and if both windows do not share the same origin, then:

  • detect, when B wants to access and/or modify A’s window object
  • if it does, block the action and present the user with a modal warning in A, asking for allowance

The warning could be similar to the ones when entering fullscreen mode or when asking for location information.

This solution addresses the problem, that cross-origin access to the parent window object is inherently unsafe, but seems to be used in some OAuth workflows, which rules out plainly disallowing this practice.

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “Ibrahim O.”

      Changed Assigned To to “Christian F.”

      Changed Assigned To to “Sermet I.”

      Changed Assigned To from “Sermet I.” to “Crispin C.”

      Changed Status to “Confirmed”

    You need to sign in to your Microsoft account to add a comment.

    Sign in