diff --git a/lib/iframeProtection.js b/lib/iframeProtection.js index dc1f838..9e1295f 100644 --- a/lib/iframeProtection.js +++ b/lib/iframeProtection.js @@ -262,6 +262,32 @@ ); } + function protectWindowOpen({window, wrappedWindow, changeProperty, singleCallback}){ + const windowOpenDescriptor = Object.getOwnPropertyDescriptor( + wrappedWindow, + "open" + ); + const windowOpen = windowOpenDescriptor.value; + const getDocument = Object.getOwnPropertyDescriptor( + window, + "document" + ).get; + changeProperty( + wrappedWindow, + "open", "value", exportFunction(function open(){ + const newWindow = arguments.length? + windowOpen.apply(this, window.Array.from(arguments)): + windowOpen.call(this); + if (newWindow){ + // if we use windowOpen from the normal window we see some SOP errors + // BUT we need the unwrapped window... + singleCallback(getDocument.call(newWindow).defaultView); + } + return newWindow; + }, window) + ); + } + scope.protect = function protect(window, wrappedWindow, singleCallback, allCallback){ const changeProperty = createChangeProperty(window); @@ -280,5 +306,7 @@ // MutationObserver does not trigger fast enough when document.write is used protectDocumentWrite(api); + + protectWindowOpen(api); }; }()); \ No newline at end of file diff --git a/releaseNotes.txt b/releaseNotes.txt index 66e2bfe..2230664 100644 --- a/releaseNotes.txt +++ b/releaseNotes.txt @@ -12,6 +12,7 @@ Version 0.5.15: - settings sanitation: added missing APIs - navigator.oscpu and navigator.buildID are undefined in non Gecko browsers - resetting the settings had undesired side effects + - added window.open protection known issues: - if a data URL is blocked the page action button does not appear diff --git a/test/test.html b/test/test.html index d3dcd01..5c4ae15 100644 --- a/test/test.html +++ b/test/test.html @@ -65,5 +65,11 @@ Hash: (isPointInPath: ) +