Maybe a silly question. When opening a new tab via target="_blank", the page that loads in that tab is allowed to set a new location in the parent tab using:
window.opener.location.replace('http://www.google.com');
Does this not violate the Same-Origin Policy? I could easily point that redirect to a malicious site that looks exactly like the original one.
I do not think that this violates the Same-Origin Policy, because the child tab is not able to access the data in the parent tab or modify it's content.
This was probable designed like this in order to allow the web developers to offer a better user experience when dealing with multiple windows.
On the other side, this is definitely something a web developer should be aware of and only use target="_blank" when this specific functionality is required.
It is easy to protect against this kind of attacks and most big websites (google.com, twitter.com, etc) do this by opening links in new tabs with the window.opener property set to null.
This has been reported as a bug to the Chromium team, but it was marked as WontFix because it was not considered to be a bug:
The user decides to trust a particular tab by inspecting the URL and determining the origin. In all cases here both tabs area always showing the correct origin for the content being shown.
On android, when entering any data into a form, the origin is always shown, even if it's previously been elided by scrolling down. The user can then make a trust decision based on this visible origin.
Given this, I don't see any risk to users more than the users just clicking on a link and visiting a new page, so I am closing with WontFix.
