Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What happens if they change `window.opener.location` to a javascript: URI? I'm assuming (well, hoping) it fails to work, but it would be nice to have that confirmed.



At least in chrome, you get the warning:

> Blocked a frame with origin "https://www.google.com" from accessing a frame with origin "https://news.ycombinator.com". Protocols, domains, and ports must match.

When executing

    window.opener.location = 'javascript:alert(1);'


If you do that cross-origin, the script will not be executed, both per spec and in browsers. That would be a pretty wide-gaping security hole if it worked...




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: