Add check for header Cross-Origin-Opener-Policy

[craigfrancis]

The Cross-Origin-Window-Policy header is now supported in Safari Technology Preview 59 (and hopefully other browsers soon):

whatwg/html#3740
https://groups.google.com/a/chromium.org/forum/#!topic/isolation-policy/zueJF9ad20g
https://www.arturjanc.com/cross-origin-infoleaks.pdf
https://webkit.org/blog/8332/release-notes-for-safari-technology-preview-59/

e.g.

Cross-Origin-Window-Policy: Deny
Cross-Origin-Window-Policy: Allow
Cross-Origin-Window-Policy: Allow-PostMessage

[gapple]

Support has now been removed in Safari Technology Preview 67
https://webkit.org/blog/8419/release-notes-for-safari-technology-preview-67/

[feross]

It has launched in Safari here: https://developer.apple.com/safari/whats-new/

• cross-origin-window-policy
  Added support for cross-origin-window-policy to defend against Cross Site Script Inclusion attacks.

[craigfrancis]

Just to note, this has been renamed from Cross-Origin-Window-Policy to Cross-Origin-Opener-Policy.

But I can't find any browser that supports it properly yet.

Firefox - behind flag browser.tabs.remote.useCrossOriginOpenerPolicy.
Chrome - has no implementation yet.
Webkit - I can only find the removal notes.

<!DOCTYPE html>
<html lang="en" xmlns="http://www.w3.org/1999/xhtml">
<head>
  <meta charset="UTF-8" />
  <title>Cross-Origin-Opener-Policy</title>
</head>
<body>

  <p><a href="https://portal.contact-associates.co.uk/" id="link">Example</a></p>

  <script type="text/javascript">
    var link = document.getElementById('link');
    link.addEventListener('click', function(e) {
      var ref = window.open(this.getAttribute('href'));
      window.setTimeout(function() {
          ref.window.location = 'https://www.example.org/';
        }, 1000);
      e.preventDefault();
    });
  </script>

</body>
</html>

[feross]

Thanks for the clarification!