UNCONFIRMED26388
WebKit should allow cross-site scripts to set top.opener.location to a different URL 
https://bugs.webkit.org/show_bug.cgi?id=26388
Summary WebKit should allow cross-site scripts to set top.opener.location to a differ...
Yuan Qi
Reported 2009-06-14 13:08:49 PDT
This bug exists on Safari 4 beta/final and WebKit nightly. If I am not mistaken, the reason behind restricting cross-site scripts to set top.opener.location is to prevent phishing attacks. However, this breaks bill payment function of epost when accessed through financial institutions and likely other websites. Instead of silently breaking those websites, WebKit should allow cross-site scripts to set top.opener.location, but display a warning on the target window when the domain is about to be changed.
Attachments
Test case (1.98 KB, application/octet-stream)
2009-06-18 15:10 PDT, Yuan Qi 		no flags
Details
View All Add attachment proposed patch, testcase, etc.
Yuan Qi
Comment 1 2009-06-17 18:43:30 PDT
This bug is a regression from previous versions of Safari (v1-3)
Sam Weinig
Comment 2 2009-06-17 18:58:52 PDT
<rdar://problem/6982997>
Adam Barth
Comment 3 2009-06-17 21:01:27 PDT
Do you have a test case we can use to reproduce the issue?
Yuan Qi
Comment 4 2009-06-18 15:10:15 PDT
Created attachment 31512 [details] Test case Here is how to reproduce this bug: 1. Copy popup.html to ~/Sites/ 2. Enable Web Sharing 3. Edit testcase.html and change YOUR_IP_ADDRESS and YOUR_USERNAME to the proper values 4. Disable popup window blocking 5. Open testcase.html in your browser. A popup window should open immediately. 6. When you close the popup window, the window that opened the popup window should be redirected to www.apple.com The test case works on Safari 3.2.3 and Firefox 3.5rc1, but fails on WebKit r44815
Yuan Qi
Comment 5 2009-08-11 15:25:50 PDT
Have you been able to reproduce this bug using my test case? Again, Safari appears to be only browser to have adopted this behaviour. IE8, Firefox 3.5 and Chrome all have no problems with the my bank's website.
Note You need to log in before you can comment on or make changes to this bug.