popup / window.open spam
Open new windows with window.open and inspect popup blocking, allow-popups, opener, and tabnabbing boundaries.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | works |
sandbox="allow-scripts" | blocked |
sandbox="" (strictest) | blocked |
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/popup-spam?lang=en" title="XSS Playground - popup / window.open spam" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
Run
// no logs
Explanation
- Browsers block window.open without a user gesture, but right after the user clicks anything in the iframe it typically goes through.
- Without
allow-popupsinsandbox, popups are blocked. If you allow arbitrary-host iframes, drop this keyword. - If the popup is same-origin with its opener, opener-based tabnabbing is possible. Cross-origin parents are largely safe — but
opener.locationwrites are allowed even cross-origin.