javascripthtmliframexss

Assigning window.open causes a DOMException

I have an iframe embedded in a different domain that opens up a popup window in a different domain. I am trying to establish cross window communication and running into a bunch of XSS security measures stopping this. One thing I am attempting to do is to assign the window I am opening to a variable.

    let openedWindows = [];
    window.__open = window.open;

    window.open = function(url, name, features) {
        openedWindows.push(window.__open(url, name, features));
        console.log(openedWindows);
    }


    <button onclick="window.open('{{url}}', 'name', 'popup=true,width=300,height=300')></button>

However, when I try this I see that I get a DOMException. Is there no secure workaround here? I control the web app in the iframe and the webapp in the popup but not the webapp that the iframe is embedded in.enter image description here

My goal is to be able to use window.postMessage to get data from the child popup to the embedded iframe.

Solution

  • No need. window.open returns the reference

    let openedWindows = [];
const myOpen = (url, name, features) => {
  openedWindows.push(window.open(url, name, features));
  console.log(openedWindows);
};

button.addEventListener('click', () => myOpen({{url}}', 'name', 'popup=true,width=300,height=300'))

    However, you will likely have issues accessing said window, since the content is not from your origin