1. 30

  2. 4

    Update: FF does not support “noopener” …

    Firefox is working on implementing noopener, and discussing whether it’s possible to add some security by default.

    I’m curious about the linked Google page Phishing by navigating browser tabs:

    Unfortunately, we believe that this class of attacks is inherent to the current design of web browsers and can’t be meaningfully mitigated by any single website; in particular, clobbering the window.opener property limits one of the vectors, but still makes it easy to exploit the remaining ones.

    What are the remaining vectors? I can’t identify them. And what about the design of current browsers makes it so hard to secure those vectors?

    If the paragraph is accurate, then our discussion on this page about fixing the problem client-side needs to take it into account.

    1. 1

      Just a wild guess, but maybe it would interfere with Google Analytics referrals? In which case it would not be in their best interests to fix this? Otherwise I have no idea.

    2. 2

      Is there any way to “fix” this on the client side? I wonder what webapps depend on this behavior…

      1. 2

        It’s as simple as restricting access to window.opener if it’s from a different domain.

        1. 2

          That’s the what. But how?

          1. 2

            you could just set window.opener = null on pageload with greasemonkey or something. Don’t know how this will fare in the realm of javascript race conditions though

            1. 4

              I was thinking of using Greasemonkey too. I think as long as you set @run-at document-start, your code will run before the page’s code. Here is a full Greasemonkey user script to contain that code (I haven’t tested it):

              // ==UserScript==
              // @name  Disable `window.opener`
              // @namespace  http://roryokane.com/
              // @description  Disable the `window.opener` feature on pages opened in new tabs, to avoid a certain type of phishing attack.
              // @include http://*
              // @include https://*
              // @run-at document-start
              // @grant none
              // ==/UserScript
              window.opener = null;

              To try it out, tell Greasemonkey or NinjaKit to create a new user script, then copy and paste the code above into it.

        2. 1

          A lot of webapps depend on similar behaviour: open a new window and setting the location afterwards which can lead to similar fishing