Show a modal warning, when a window wants to manipulate its opener

UNCONFIRMED
Unassigned

Status

()

Core
DOM: Security
P5
normal
UNCONFIRMED
a year ago
a year ago

People

(Reporter: Manuel Strehl, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [domsecurity-backlog])

(Reporter)

Description

a year ago
This is a feature request resulting from this discussion in the WHATWG HTML issue tracker:

https://github.com/whatwg/html/issues/2119

The problem is, that rel=noopener is not the perfect solution to mitigate the non-trivial security problem, when a window accesses and manipulates its opener window.


Proposed solution: If a window A opens a new window B, and if both windows do not share the same origin, then:

* detect, when B wants to access and/or modify A's window object
* if it does, block the action and present the user with a modal warning in A, asking for allowance


The warning could be similar to the ones when entering fullscreen mode or when asking for location information.

This solution addresses the problem, that cross-origin access to the parent window object is inherently unsafe, but seems to be used in some OAuth workflows, which rules out plainly disallowing this practice.

Comment 1

a year ago
Small remark: I made this suggestion in the Github issue, but I didn't intend the notification to completely block the action. Instead I think it should just provide a notification that the window object has been manipulated, in a similar fashion as the fullscreen notification works. Fully blocking the action will result in poor UX for (e.g.) Oauth flows, which I don't think is desirable (at least not without a secure alternative).

Comment 2

a year ago
I think a blocking dialog is better than a notification, because the "poor UX" would encourage web sites to find a more secure way to implement OAuth. Cross origin opener is different from fullscreen, because the former is what we want to remove from the web one day.
Priority: -- → P5
Whiteboard: [domsecurity-backlog]
You need to log in before you can comment on or make changes to this bug.