I have 3 domains : domainA domainB domainC
If I set target="_blank" on domainA with a link to domainC, domainC can access a bunch of property of domainA. That's why I use target="_blank" rel="noopener noreferrer". Otherwise, things like easier phishing are possible. Consider the following code on domainC :
if(window.opener){ window.opener.location="phishinglocation="http://phishing.com" } If domainA contains a link like <a href="https://domainBdomainC.com" target="_blank">, the condition will trigger and redirect domainBdomainA to attacker controlled domain. Otheres properties, like window.opener.length are readable.
While it is not really a vulnerability in fact because defined by the W3C, it is unknown from most developpers.
Now, I want to include an iframe from domainBin domainA, which I trust, but which is not protected against target="_blank" vulnerability.
I tested and clicked on a link on my iframe, and it looks like the window.opener wasn't null as it would be with noopener noreferrer, but I havn't be able to access attribute nor methods of it. When doing so (eg : redirecting), it prints :
Unsafe JavaScript attempt to initiate navigation for frame with URL
domainBfrom frame with URLdomainC. The frame attempting navigation is neither same-origin with the target, nor is it the target's parent or opener.
Then, can we consider it safe to include iframe without protection on target="_blank"?