October 1, 2020
Getting access to a website’s
window object is a common prerequisite for different XS-Leak techniques. Framing Protections can ensure that an attacker cannot use iframes to access the
window object, but this does not stop an attacker from accessing the
window object from an opened window through
Exploiting XS-Leaks with
window.open is generally seen as the least appealing option for an attacker because the user can see it happen in the open browser window. However, it’s usually the right technique when:
- A page sets Framing Protections.
- A page sets Same-Site Cookies with
LaxMode (in contrast to the
Strictmode, navigating a top-level window is allowed by the
There are three possible values for the COOP header:
unsafe-none– This is the default value and is how websites behave if no value is set.
same-origin– This is the strictest value. If you set
same-origin, then cross-origin websites cannot get access to your
windowobject through opening new windows. If your application relies on using
window.opento open another website and communicate with it, this will be blocked by
same-origin. If this is an issue, set
same-origin-allow-popups– This value allows your website to use
window.open, but does not allow other websites to use
window.openagainst your application.
If possible, it is recommended to set
same-origin. If you set
same-origin-allow-popups, be sure to review what websites you open with
window.open and ensure that they are trusted.
Since COOP is an opt-in mechanism and a very recent one, it can easily be overlooked by developers and security engineers. Nonetheless, it’s important to highlight the importance of this defense mechanism as it is the only way to prevent attackers from exploiting XS-Leaks which make use of window references returned by APIs like
window.open (unless SameSite Cookies in the
Strict mode can be widely deployed).
Check out this web.dev article to learn more about the advantages of this protection and how to deploy it.