Comment 5 for bug 1559239

Revision history for this message
Jason Stephenson (jstephenson) wrote :

The web staff client appears to be immune to this attack from 856 URLs. I was not able to make the opener location change in Chromium or Firefox when opening the link via the web staff client.

The OPAC, on the other hand, is vulnerable. I could change the opener's location in both Firefox and Chromium via some simple JavaScript of my own. I also tested with the demo page from Mathias Bynens and got similar results.

Jeff Davis' patch fixes the latter for me. I've tested it with master in both Chromium and Firefox.

I've pushed a signoff branch to the security repo:

user/dyrcona/lp1559239-target-blank-noopener-signoff

I think we should put this in with the next releases. In the meantime, more testing will not hurt.