bypassing Cross-Origin-Opener-Policy by navigating an existing popup navigation
Categories
(Core :: DOM: Security, defect, P2)
Tracking
()
People
(Reporter: freddy, Assigned: valentin)
References
Details
(Keywords: sec-moderate, Whiteboard: [reporter-external][found by ronmasas, see CC list][domsecurity-active])
+++ This bug was initially created as a clone of Bug #1521808 +++
You can bypass COOP with these simple steps
- open a popup to something that is allowed e.g.,
p = window.open("about:blank")
- navigate that popup with
p.location.href = coopProtectedURL
- reference p is still valid and can be navigated further
What should happen:
Should invalidate the reference after 2).
Reporter | ||
Comment 1•5 years ago
|
||
We should have a test in wpt for this.
Reporter | ||
Updated•5 years ago
|
Comment 2•5 years ago
|
||
Totally off topic and I'm sorry about that, but fwiw, I was on the cc list of Bug #1521808 (the one you cloned from) and now I was also cc'ed on this sec-sensitive bug (those sec bugs get marked differently in my inbox and I almost immediately look at them).
Here, it looks like some people were removed when cloning (maybe non-@mozilla accounts?). Still, I don't find cloning and especially the cc list copying very useful and maybe it is even less ideal for sec-sensitive bugs.
Updated•5 years ago
|
Reporter | ||
Comment 3•5 years ago
|
||
(In reply to Florian Scholz [:fscholz] (MDN) from comment #2)
Here, it looks like some people were removed when cloning (maybe non-@mozilla accounts?). Still, I don't find cloning and especially the cc list copying very useful and maybe it is even less ideal for sec-sensitive bugs.
Yup. My bad.
Updated•5 years ago
|
Comment 4•5 years ago
|
||
I think we can open this up as we haven't shipped this feature and it requires changing an advanced setting.
Reporter | ||
Comment 5•5 years ago
|
||
I wasn't aware this was behind a pref. That also clarifies some other problems I had when testing this earlier in the week... 🤦
Reporter | ||
Comment 6•5 years ago
|
||
Can't actually verify the bug with the pref actually set. This is embarrassing.
Description
•