23:22 <isd> So, I'm digging into the CVEs in ttrss since it was last updated, and trying to understand their impact in Sandstorm. I think the impact is actually none -- I think we mitigate the issues already. But I'm trying to understand the mechanics of how, and I'm a little fuzzy on how we deal with window.opener issues.

23:24 <isd> Experimentally, it seems like doing window.open(...) inside of a grain doesn't give the target page useful access to anything -- there's a window.opener with some properties, but greatly restricted and nothing that seems actually dangerous; I can't even inspect window.opener.location (it's some opaque object that can't be converted to a string, and likewise for its attributes)

23:24 <isd> This looks like it's in-line with the same-origin policy.

23:25 <isd> The relevant CVE is at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000035

23:26 <isd> What I don't understand is: what is the actual vector here? does it work in older browsers? Is it actually just that it's only an issue for same-origin attackers?