electron: In sandbox mode, window.opener doesn't work when children are from different domain
- Electron version: 1.4.10
- Operating system: Darwin x64
Expected behavior
When a popup pointed to a different domain from the parent is opened. window.opener should not be null. It is required for many OAuth authentication where the parent and the child (popup) is from different domains.
Actual behavior
When a popup is pointed towards the same domain window.opener is present but when its pointed towards a different domain window.opener is null
How to reproduce
main.js
app.on('ready', () => { console.log("ready"); const win = new BrowserWindow({webPreferences: { sandbox: true }}) win.loadURL('http://localhost:8888/index.html'); })
index.html
<a href="javascript:window.open('https://app.asana.com')">Click here</a>
window.opener is null at app.asana.com because the domain is different from the parent
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Reactions: 27
- Comments: 25 (7 by maintainers)
If someone need it, I made a repo to reproduce this bug: https://github.com/eyarz/electron-new-window-bug
+1 would love to see this one fixed
@alexeykuzmin I haven’t looked into it yet.
I’ve been wrestling
window.openissues for the past day and a half, all to attempt to get Google and other OAuth to work. I’ve tried with electron’swindow.openimplementation, initially planning bridge sync calls likewindow.opener.foovia ipc with node-fibers. Due to #9581 , that isn’t an option. I also tried the newnativeWindowOpen, which is by far the most promising, but ran into this issue. After debugging my use case further I found something surprising… thewindow.openeris correctly set when the page first loadsabout:blank, but gets lost when it loads the url supplied to theBrowserWindowI’m curious if navigating fromabout:blankto another site is confusing chromiums security policy (as thewindow.openerwould normally be unset when you change domains). //cc @kevinsawicki