[Retr0spectrum]

See this comment for a cross-domain demo: https://news.ycombinator.com/item?id=11631810

It's a fairly big deal, but not much is being done about it on the browser side of things. It can only really be used for phishing style attacks.

[magicalist]

you cannot access the opener's document as aji's example does cross origin

[Retr0spectrum]

Sorry, I didn't read the comment carefully enough.

I assumed we were still talking about window.opener.location (which can be modified across domains)