I know XSS is possible if the window.name is echoed onto the page, but from my understanding, this requires you to use an iFrame, but what if the page has clickjacking protection, stopping the page from being embedded in an iFrame? Is such an attack still possible? Here's example JQuery...
<script>
$("div").html(window.name);
</script>
The other way to get hold of another window is to pop it up. You can specify the window name in the second parameter:
var victim= window.open('http://example.com/vulnerable', '<script>alert("boom");<\/script>');
The method .text() seems more adequate/safer to solve the functional requirement of echoing the window.name in the page DOM.
<script>
$("div").text(window.name);
</script>
from jquery docs: http://api.jquery.com/text/
We need to be aware that this method escapes the string provided as necessary so that it will render correctly in HTML. To do so, it calls the DOM method .createTextNode()
