I open a popup from my main page with this code:
<a href="http://external.domain.tld/" onclick="window.open(this.href, '_blank', 'width=512,height=512,left=200,top=100');return false"> Open popup </a>
This works fine, but my problem is that the document loaded in the popup has permission to change the location of the opener window. This even works when the document in the popup is from another domain. He does not have permission to read the location, but he is allowed to change the location. I do not want it. I want the popup to be completely disconnected from my main page.
Even without JavaScript, this does not work. When I open another page in a new tab using the target="_blank" attribute, then this tab is still allowed to go to the opener window and change its location:
<a href="http://external.domain.tld/" target="_blank"> Open in new tab </a>
This is the code of an open document that should not be allowed:
<script> opener.location.href = "http://badsite.tld/"; </script>
You can see the live demo here . Click one of the two links to open another page in a pop-up or new tab, which then loads the third page into the window that opens. This is what I am trying to prevent.
Is there any trick I can use to break the connection between the opening window and the open window? Ideally, an open window should not know that it was open by any other window.
kayahr
source share