1549376 - bypassing Cross-Origin-Opener-Policy by navigating an existing popup navigation

Status: RESOLVED WORKSFORME

(Core :: DOM: Security, defect, P2)

Description

[Frederik Braun [:freddy]]

+++ This bug was initially created as a clone of Bug #1521808 +++

You can bypass COOP with these simple steps

1. open a popup to something that is allowed e.g., p = window.open("about:blank")
2. navigate that popup with p.location.href = coopProtectedURL
3. reference p is still valid and can be navigated further

What should happen:
Should invalidate the reference after 2).

Comment 1

[Frederik Braun [:freddy]]

We should have a test in wpt for this.

Comment 2

[Florian Scholz (Open Web Docs)]

Totally off topic and I'm sorry about that, but fwiw, I was on the cc list of Bug #1521808 (the one you cloned from) and now I was also cc'ed on this sec-sensitive bug (those sec bugs get marked differently in my inbox and I almost immediately look at them).

Here, it looks like some people were removed when cloning (maybe non-@mozilla accounts?). Still, I don't find cloning and especially the cc list copying very useful and maybe it is even less ideal for sec-sensitive bugs.

Comment 3

[Frederik Braun [:freddy]]

(In reply to Florian Scholz [:fscholz] (MDN) from comment #2)

Here, it looks like some people were removed when cloning (maybe non-@mozilla accounts?). Still, I don't find cloning and especially the cc list copying very useful and maybe it is even less ideal for sec-sensitive bugs.

Yup. My bad.

Comment 4

[Anne (:annevk)]

I think we can open this up as we haven't shipped this feature and it requires changing an advanced setting.

Comment 5

[Frederik Braun [:freddy]]

I wasn't aware this was behind a pref. That also clarifies some other problems I had when testing this earlier in the week... 🤦‍

Comment 6

[Frederik Braun [:freddy]]

Can't actually verify the bug with the pref actually set. This is embarrassing.