Bug 308992

When window.open is called, a "target" argument can optionally be provided. This "target" parameter describes the name of the new window to open. If a window with the given "target" parameter already exists, then window.open will reuse that window for the navigation. See https://html.spec.whatwg.org/multipage/nav-history-apis.html#dom-open-dev Using this target parameter, we can reuse existing windows for navigation. If we choose the right window name, we can choose a window that is cross origin from our active context, effectively performing a navigation of a cross origin frame. When it comes to javascript urls, the HTML navigation spec doesn't allow navigation to javascript urls where the origin of the target document is different than the active document. See step 4 of Section 7.4.2.3.2 of the HTML navigation spec which describes the special case of navigating to javascript urls. https://html.spec.whatwg.org/#the-javascript:-url-special-case > If initiatorOrigin is not same origin-domain with targetNavigable's active document's origin, then return. This is essentially the same bug as https://bugs.webkit.org/show_bug.cgi?id=305615 except for window.open instead of by directly setting the .src attribute of frames/iframes. Here is an example of a window.open call which should be blocked: ``` ... // JS currently running at example.com // note the target window "tg" window.open("javascript:alert('FAIL')", "tg"); ... <!-- HTML --> <iframe onload="runTest()" name="tg" src="https://wikipedia.org" ></iframe> ``` This bug happens in the following LayoutTests with site isolation enabled: - http/tests/security/xss-DENIED-window-open-javascript-url-with-spaces.html - http/tests/security/xss-DENIED-window-open-javascript-url.html