window.open() uses incorrect global object to determine if navigation is allowed
Created attachment 437965 [details] Patch
<rdar://problem/83274097>
Created attachment 438829 [details] Patch Add <iframe sandbox> tests and ChangeLog.
Created attachment 441144 [details] Cross-browser research The spec seems to be way off the implementations, yet WebKit is way off other engines by using _current_ instead of _relevant_.
Comment on attachment 438829 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=438829&action=review r=me > Source/WebCore/ChangeLog:21 > + and "allow-same-origin" flags are present. If that's the acse, an <iframe> can simply case > Source/WebCore/ChangeLog:24 > + Although per current spec [4], window.open() uses _entry_ global object pretty much Entry global object would be an obvious security / pop-up blocking bug. Seems worth filing a spec issue to correct this. > Source/WebCore/page/DOMWindow.cpp:2549 > -ExceptionOr<RefPtr<WindowProxy>> DOMWindow::open(DOMWindow& activeWindow, DOMWindow& firstWindow, const String& urlStringToOpen, const AtomString& frameName, const String& windowFeaturesString) > +ExceptionOr<RefPtr<WindowProxy>> DOMWindow::open(DOMWindow& firstWindow, const String& urlStringToOpen, const AtomString& frameName, const String& windowFeaturesString) What is 'firstWindow'? Is it the entry global object, the incumbent global object, the top of stack global object, or something else?
Checking via BugID on Webkit GitHub, it seems that this bug has not landed. Do we need it? Thanks!