InformAction Forums

So I happened upon this demonstration of some sort of cross-domain scripting that I've never seen before:
https://mathiasbynens.github.io/rel-noopener (benign POC page)

Now, the malicious potential doesn't seem that high, for now, but maybe it's worth warning NoScript users when this trick is used in suspicious circumstances. Such as a page from another domain manipulating the original page.

What are you guys' thoughts on this?

Apologies if this is old news to you, by the way.

Cross-origin example doesn't load for me:

Secure Connection Failed

An error occurred during a connection to mathiasbynens.be.

Peer using unsupported version of security protocol.

Error code: <a id="errorCode" title="SSL_ERROR_UNSUPPORTED_VERSION">SSL_ERROR_UNSUPPORTED_VERSION</a>

And it's not letting me use plain http.

Anyway... NoScript does have background tab refresh protections, which should protect against this, right? So does this "attack" still work with NS enabled if it hijacks the original tab actually to a different page, instead of just a different hash on the same page?

Hmm. I tried it, and...well, I never whitelisted the attacker, so no effect .

Locking in favor of viewtopic.php?f=7&t=22510 .